Multifactor authentication should be deployed with equal weight across internal use of an organisation’s systems and any external access required for clients or customers. That’s according to chartered security professional Rick Mounfield, Director of Optimal Risk.

“MFA must cover everyone,” he says. “The sad truth is that if you get malware into your system and it shuts down your business, it will cost you an awful lot of money and probably result in people being made redundant.” 

Everyone, it should be stressed, means everyone, including administration accounts, which are typically left with basic username/password authentication. No member of staff should be able to leave their email open overnight; it’s a huge vulnerability. There should be forced logouts whenever people go home for the day, and an MFA procedure for logging back in the following morning.

Mounfield notes that MFA is a critical asset for maintaining the integrity of a cyber-secure ‘Swiss cheese model.’ Every cyber defence has some form of hole in it, but when you stack all your various defence layers together, they should cover each other’s holes and block hackers’ attempts to get through. Using MFA across multiple parts of its IT system, a business will make each layer stronger, greatly enhancing its ability to preserve that integrity.

Triple safeguard

Mounfield explains that MFA typically consists of three types of factors:

1. Something you know, such as a password, PN number or code. You will either remember this in the long term, or it will be regularly refreshed to ensure you are not using a particular access detail for months or years, at a time.
2. Something you have, such as a physical card reader or token device that links to an online service. Alternatively, it could be a mobile phone or smartwatch with a relevant security app on it, or a digital token downloaded from a specialist authentication app.
3. Something you are, such as your fingerprint, voice pattern, face or even retina, each of which can be used to authenticate an access attempt, in combination with other factors.

For Mounfield, communication and engagement with internal and external stakeholders around your MFA policy is crucial. The policy itself must be clear and simple. “It’s really important to make it as easy as possible to understand, otherwise people will find ways of not observing it,” he says. “Non-adherence would generally entail leaving your computer open in your account all the time, or even worse, being out and about with a company laptop, having it open in your account and leaving it in a public place.”

One of the biggest threat vectors out there right now is SMS interception – also known as ‘smishing.’ In those sorts of attacks, a piece of malware delivered to your terminal by SMS creates a fake login screen that looks exactly like what you’d expect to see on your company’s system. “The idea being that when you’re prompted to enter codes or passwords, you’re effectively handing them straight to hackers.”

Mounfield explains that apps such as Authy and Authenticator, which are both free to download to your phone, overcome smishing because they are not hooked up to open, online communication.

“They’re really simple ways of ensuring you need to go through an authentication process to log back into your device,” he says. “Two further very simple rules are: never leave your computer on all the time and always lock it whenever you leave your desk.”

Setting the tone

Importantly, Mounfield notes, an MFA policy is not a ‘set it and forget it’ matter. It requires staff to be alert to malicious approaches and take a proactive role in reporting them.

“A thorough MFA system would typically keep a record of anything that looks anomalous – for example, spoofed login attempts,” he says. “That data must be used to prevent further approaches.”

You may get Authenticator notifications where the app thinks you’re trying to log into your account, asking you to confirm whether that’s the case. If it’s not you, don’t just keep that to yourself: tell your systems administrator straight away. “It means that someone’s been trying to get into your system but can’t because of the MFA safeguards. If you’d inadvertently or absentmindedly tapped Yes, you’d have let someone dangerous into your system.”

In terms of who should lead, draft and oversee the MFA policy, Mounfield points to the most senior individual, not in the security function, but the organisation as a whole.

“We aspire to it being the CEO in as many cases as possible,” he says. “Certainly, someone either in the C-suite or on the board needs to be the one who sets the tone on MFA, or no one will adhere. If HR sends out a notification about how people should align with the MFA policy, there’s a risk that other departments could just sit there and think, ‘You don’t tell me what to do – you’re not my line manager.’ So, the policy lead must be someone with genuine authority and credibility, who everyone knows is invested in and passionate about cyber.”

To underscore that message, Mounfield cites the 2021 book The Human Element: Overcoming the Resistance That Awaits New Ideas. In its pages, authors Loran Nordgren and David Schonthal explore and unpick ‘four frictions’ in the human psyche that block the path of change. “Some of the emotions they look at are, ‘I’ve always done it this way,’ or, ‘Why are you making me change? Nothing bad’s happened before.’ They’re the sorts of emotions that prevent people from engaging. However, if policy direction on MFA comes straight from a senior executive, they’re far more likely to pay attention.”

That said, ensuring that an MFA policy carries authority must not involve making it authoritarian. For Mounfield, it is essential for employees to feel that they can own up to lapses without fear of reprisal. “We shouldn’t punish people for failure unless it's repeated,” he says. “If you’ve slipped up more than once and didn’t learn, there should be some kind of sanction. But if you’ve made one mistake, you should be encouraged to come forward.”

Stay vigilant

Even with these measures in place, vigilance is also essential. Some attacks are very sophisticated and will emulate an organisation’s MFA systems to capture logins and MFA credentials, which they use to automatically login to the platform.

“This even works with authenticator apps, because that automated workflow can be triggered in seconds, using your time-limited code before it has reset,” explains Ian Pay, ICAEW’s Head of Data Analytics and Tech. “You might even get an email to say ‘new login detected’ and ignore it because you think it is you – it isn't. Even with MFA, the best advice is to be aware of what links you click on to start with. The one option that beats it is passkey technology; it's an explicit link between the website and your device.”