Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Enterprise ServicesLogical Security

The growing multifactor authentication imperative

By Jay Martin
keypad on safe

Image via Pixabay

May 30, 2023

We live in an always-connected, multi-device, and multi-platform world. Some of us might use a MacBook or PC laptop for work. While at the airport or watching our kid’s soccer game we check work emails from a smartphone. And most everyone has documents stored in the cloud so that work is accessible across all these devices and platforms.  

However, using standard "enter your username and password" login credentials for any cloud-based resources is a security nightmare for IT teams. Literally billions of usernames and passwords have been stolen, were posted online and are exploited by criminals every day. Many users still reuse their corporate usernames (typically their work email address) and passwords — or at least a variation of that password — on personal websites.  

Just last year, hackers stole millions of user credentials from cloud-first companies like Uber, Twitter, Marriott, Cloudflare and Twilio. These credential harvesting campaigns are just the beginning for bad actors. Even if criminals don't have the latest password for the username, they'll follow up with a brute force attack to guess weak passwords, get into the compromised cloud account, and then move laterally inside the corporate network.

That's why every IT department should apply a multifactor authentication (MFA) process to secure their employees' user accounts across all devices and platforms. Any login with MFA requires a user to present a combination of two or more unique credentials to verify their identity. So, even if one user credential becomes compromised — for example, the user's password is known or guessed by brute force — the criminal won't have the second authentication requirement and is blocked from completing the login.

What is multifactor authentication? 

MFA is, of course, not new. Once upon a time, people watched movies in their homes on physical media rented from retail stores. The movies on physical media were a costly capital expense for the retailer, so the retailer generated profit from many customers paying a few dollars to rent the physical media for a day or two. To protect the retailer against a customer from not returning that physical media, the rental store had customers provide two or more forms of identification to authenticate their accounts.

Fast forward to our modern cloud-first world where an online account with multifactor authentication is more secure than just relying on an ID and password. That's because adding a second or third factor compensates for the weakness of that single authentication factor.

More factors equals more security for users  

It is critical to allow more than just one authentication factor for your users. This is so everyone in an organization has access to an alternate MFA option in case their primary option is unavailable. Two-factor authentication (2FA) is the most common deployment and combines what you know (your password) with what you have using a variety of industry-standard methods including:

Voice or text to a phone — These options allow for sending either an automated voice call or text message to the user's phone. The user can answer the voice call and press the # key on the phone keypad to approve their authentication. The text message has a verification code the user must type into the sign-in interface. "Call to phone" is a great backup method for notification or a verification code from a mobile app if the user cannot receive SMS.

Push notification through a mobile app — A push notification is sent to an authenticator app on a user's personal or corporate-owned device. The user views the notification and hits the "Approve" link to complete verification. Business IT leaders can set up push notifications using mobile apps such as Duo Mobile and Microsoft Authenticator for both Google Android and Apple iOS. However, if some travels to China, push notifications on Android phones doesn't work the same way there as they do in the rest of the world. This is a perfect real-world example of why multiple authentication options are needed

Hardware security keys — Based on the open standards created by the Fast Identity Online (FIDO) Alliance, these small devices store an encrypted private authentication key unique to a user that often includes a biometric component such as a fingerprint. Because hardware keys must be in the possession of the user to authorize the MFA challenge and the user's login credentials are stored on the device rather than a server, this security model eliminates not only password theft but also phishing risks.

Even with MFA, you can still get hacked 

Deploying MFA in an organization does not guarantee an employee won't be the victim of a cyberattack. MFA helps make users more secure but nothing can protect employees against 100% of all methods of compromise. Speaking of percentages, there's been a widely distributed statistic about the efficacy of MFA, claiming for years that it can stop 99.9% of attacks. But that means every other possible type of attack — from phishing/malware, to insider threats, distributed denial of service (DDoS), and even cloud storage bucket misconfigurations — accounts for the 0.1% of successful attacks. Considering that unpatched software is the cause for the majority of successful cyberattacks, it's obvious that 99.9% statistic is... misleading.

In early 2022, the Cybersecurity & Infrastructure Security Agency (CISA) warned that bad actors were exploiting "default MFA protocols and a known vulnerability" to automatically enroll devices for multifactor authentication on corporate networks. The attackers would use a combination of stolen user credentials, automated policies for enrollment of MFA devices and unpatched software to effectively bypass multifactor authentication and gain full access to the victim's cloud storage and corporate email. To mitigate damage from these attacks, the best course of action is for an IT department to adopt and enforce zero trust access policies that include MFA as one part of a holistic security strategy.

Setting up multifactor authentication security at your business

The good news is that most providers of cloud-centric IT tools for business have multifactor authentication options for securing user accounts. For example, Microsoft 365 for Business subscribers get a free version of MFA in the cloud called "Azure multifactor authentication." It is a full featured and highly configurable MFA option but is not enabled for all Microsoft 365 users by default. Azure MFA is just one of the many options IT managers and cybersecurity professionals can use to implement multifactor authentication for users.

KEYWORDS: CISA cloud cloud security DDoS FIDO alliance hacked multi-factor authentication password password management password protection password security two-factor authentication

Share This Story

Jay martin

Jay Martin is VP, Security at Blue Mantis. Image courtesy of Martin

Blog Topics

Security Blog

On the Track of OSAC

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Half closed laptop

Sudo Vulnerability Discovered, May Exposes Linux Systems

Person holding cellphone

Millions of Android, iPhone Users Could Be Sending Data to China

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!