Yes, I said it. Passwords suck. They are not protecting your company, and they explicitly contribute to a false sense of security. Cyber attacks, specifically Spear Phishing, Vishing, and Whaling have increased significantly over the past couple of years.
As a bad actor, I could easily target your organization by using the public information I can scrape from the web via social media, websites, or articles. With this information, I can then run campaigns to gain even more information about your staff or your customers. I can trick one of your employees into falling for my malicious techniques. In turn, I might be able to gain access to their corporate password. I can also forward the employee email to a bogus Google account. In Google, I can analyze emails for words like “wire,” or “routing number,” to trigger an event so that intercepts the email. Once I catch the email, I can change the information in the email and collect my reward. It is effortless for attackers to gain access to the corporate logo’s or email signatures to disguise themselves as an individual at your company.
Benefiting from MFA
No matter how strong a password is, an unsuspecting and untrained employee will still fall for bogus phishing schemes.
No matter how much we train our employees, we cannot rely on them to make the right decision every time. This is where multi-factor authentication comes into play.
MFA means that a user is must provide two types of authentication. Typically, this is a username and password plus one additional form, on a separate device (i.e., phone) a randomly generated One-Time-Passcode or push notification is created. Once the user enters their password AND code, then and only then can they log in.
If the email account in the story above was protected with something like DUO, or mobile apps like the Google or Microsoft Authenticator’s, the bad guy would need the employee’s mobile phone to log into their account. It is important to note that multifactor authentication isn’t a silver bullet. Security threats are constantly evolving, but MFA is a significant upgrade to your company security posture.