thumbnail
Blog

Multifactor Authentication: Frequently Asked Questions

January 4, 2023

Clients often ask about the most important thing they can do to protect themselves in such a connected world? The first answer I always recommend is to enable multifactor authentication (MFA) on all applications.

What is Multifactor Authentication?

You may have heard the phrases “something you know” and “something you have.” MFA or two-factor authentication (2FA) requires you have two “factors” to log into an application. The first factor is most often a password, and the second factor can be biometric or, most likely, your mobile phone. Your phone can be used as a second factor to receive text messages of generated codes or via an authenticator application that receives generated codes or “push” approvals.

How Does Multifactor Authentication Protect Your Information?

Even with a password manager that enforces complex passwords, we cannot understate the impact of MFA. If your password gets compromised, the bad guys will then have to compromise your second factor (something you have) as well, to approve the push notification or obtain the generated code. We are typically glued to our phones, so gaining access to the second factor is much more difficult for threat actors.

Should Your Multifactor Authentication Solution Use a Code or a Push Request?

We recommend you or your organization leverage MFA solutions that require entering a code versus approving a push request. We’ve seen instances where companies enabled an MFA solution that leveraged push approvals, and threat actors were able to gain access. In this instance, a user’s password was compromised, and out of habit, when they received a random push request, they approved it. They believed it to be a “normal" request, even though they hadn’t attempted to login. If the MFA solution required a code, the user wouldn’t have received the push request, wouldn’t have been compromised, and subsequently, the threat actor wouldn’t have been able to wire funds out of the company.

Should You Require Multifactor Authentication Each Time a User Logs In to the Application?

Unfortunately, the answer is yes. We are constantly under attack and must be smart and secure 100% of the time. The threat actors only need to win one time. It’s a minor inconvenience for us, but necessary for good cyber hygiene.

Should You Require Multifactor Authentication on an Internal, Trusted Network?

Those on the cutting edge of cybersecurity defense have moved towards a zero-trust model. We recommend requiring the second factor even to connect to applications inside of “trusted” networks.

Should You Require Multifactor Authentication for Single-Sign-On (SSO) Environments?

Because cybersecurity defense is leaning toward a zero trust strategy, we recommend requiring the second factor even for applications configured with SSO.

Given the world we live in and the variety of options for banking, business software, finance and day-to-day apps on your phone, you should only use those that provide MFA as an option. Talk with your IT leaders about zero trust and requiring MFA all the time, every time! If you have any questions about implementing MFA at your company, the Moore Colson Cybersecurity Practice Area can help. Contact us for more information.

Contact an Expert


Jon Powell CPA Jon Powell, CPA, CITP, CISA is a Partner in Moore Colson’s Risk Advisory & Compliance Services (RACS) Practice. Jon serves as the firm’s Cybersecurity Practice Leader and oversees the firm’s IT engagements, including Information Technology Risk Services, Sarbanes Oxley (SOX) initiatives, internal audit co-sourcing partnerships, System and Organization Controls (SOC) attestations, and other compliance and consulting engagements.