By Heather Randall, PhD | Chief Compliance Officer at Sphere
The use of applications has become so much a part of our daily lives that we rarely think about how pervasive they are. From letting us know what we’re running low on in the refrigerator at home to facilitating payment transactions at work, these applications have become a central feature in our lives. However, their use can also make us vulnerable. A compromise of an online shopping account, for example, could not only result in fraudulent purchases, but expose our address, our contact lists, our interests and our purchase histories. At work, a compromise of our business systems can have devastating consequences. As a result, in as much as we’ve seen the convenience of these applications increase over the years, we’ve seen a corresponding increase in the security features that we use to protect them. Recently, the use of multi-factor authentication has emerged as being one of the most effective ways to add cyber security and privacy to our accounts and systems, both at home and within the business context. But what is multi-factor authentication and how is it used?
What is Multi-Factor Authentication? How Does MFA Work?
Multi-factor authentication, often referred to as MFA, is the use of multiple pieces of information to validate the identity of the user trying to gain access to a given resource. The most common multi-factor authentication definition is the use of at least two of the following components: 1) Something you have, like a mobile device; 2) something you know, like a password or the answer to a security question; and 3) something you are, like a fingerprint or face scan, to validate that the user is authorized to access the account or resource.
What are the Advantages of MFA and Why Should I Use it?
Though some might think that the use of MFA to access accounts might add friction to the log-in process, there are several advantages to implementing the solution. Obviously, the most notable advantage is that it adds a layer of online security to the process, making it more difficult for a criminal to fraudulently gain access to your accounts. It’s another credential that a criminal would need to compromise to access the resource. Further, there are several easy to access authentication applications that make adding multi-factor authentication as an individual user a relatively simple process (see Google Authenticator, Microsoft Authenticator, Twilio Authy, ID.me Authenticator).
Additionally, it can add an element of unpredictability and variability into the credentialing process, which makes it increasingly unlikely that the additional factor is something that can be compromised or replicated by a non-authorized third party. In other words, it can mitigate the risks posed by weak passwords. Unfortunately, according to a study by SplashData, the most used passwords in 2022, are still:
- 123456
- 123456789
- qwerty
- password
- 1234567
People are overwhelmed by the number of passwords and logins that they have, so they create easy to guess passwords. While adding multi-factor authentication to the process doesn’t negate the need for strong passwords, it can act as a layer of online protection to make it more difficult to compromise accounts that have weak passwords.
Is Multi-Factor Authentication Required?
While it has been an increasingly common industry standard, the use of MFA is now frequently addressed in regulations that are being promulgated at the federal and state level. Additionally, there are certain industries or sectors for which the use of MFA is required. The FFIEC, for example, requires that MFA (or a control of equivalent strength) be implemented for access to financial accounts and transactions at all FDIC- supervised institutions.
Further, the newest iteration of the Payment Card Industry Data Security Standard (PCI DSS v 4.0) requires that MFA be required for all access to the Cardholder Data Environment. Though this requirement is not yet fully implemented[i] many organizations are putting implementation plans in motion to fully address this no later than the effective date provided by the Payment Card Industry Security Standards Council.
In short, MFA is one component of a comprehensive, multi-layered security approach that can be implemented for both personal and business uses. Its adoption is becoming increasingly common and should be included in the risk mitigation discussion for any organization that accesses or manages access to sensitive or regulated data.
TrustCommerce technology offers businesses of all sizes the confidence of knowing payment transactions are safe and secure, by providing comprehensive risk management and security solutions for sensitive business and cardholder data. Schedule a free demo with TrustCommerce to learn more.
[i] Per the PCI DSS “This requirement is a best practice until 31 March2025, after which it will be required and must be fully considered during a PCI DSS assessment.”