It’s true: multi-factor authentication, or MFA, can reduce the risk of successful cyberattacks by 99.9%.

Why is this such a big deal? Because cybercriminals are becoming more sophisticated and organized. High-profile data breaches are common. And the average total cost of a data breach to businesses is $4.35 million globally, $9.44 million in the U.S., and for healthcare, the hardest-hit industry, a staggering $10.10 million.

Given those potential losses, and the fact that 83% of companies can eventually be expected to suffer one or more data breaches, there’s almost no need to justify investments in tighter data security. The only question is, what’s the most secure authentication method?

For most organizations, the answer is MFA. In fact, under mandates such as Executive Order 14028 in the U.S., MFA is required for government agencies and any contractor or vendor doing business with them. Moreover, industries that require the highest levels of security, such as banking and finance, already adopted a form of MFA long before there was any mandate. It’s simply the right thing to do.

Single-factor authentication is risky, especially when it’s password-based. Considering that each employee has to manage an average of 27 passwords, it’s no surprise that their weak or stolen passwords lead to more than 80% of hacking-related breaches.

Given the risks of single-factor authentication, the only question is why wouldn’t every enterprise rush to adopt MFA?

First, the basics: What is MFA?

Multi-factor authentication requires you to provide more than one proof of your identity. Authentication factors can be “something you know” ( a knowledge factor, such as a password), “something you have” (a possession factor, such as an ID badge, mobile credential or FIDO2 security key) or “something you are” (a biometric factor, such as your fingerprint, face or voice pattern).

Most MFA systems require two authentication factors, often abbreviated as 2FA. Even if criminals are able to acquire your login information, it’s vanishingly unlikely that they would also have access to the additional authentication factor(s) needed to impersonate you.

Are all MFA solutions secure?

Multiple authentication factors are inherently more secure than a single password. But not all MFA solutions are equally or even particularly secure.

For example, everyone is familiar with the MFA process of logging in to an account with a password (a knowledge factor) only to be asked to enter a separate one-time password, or OTP, (a second knowledge factor) sent by an SMS text message to the user’s phone (a possession factor). This process can be cumbersome, but we put up with it because it feels very secure.

That sense of security can be false. The SMS protocol is more than 30 years old, doesn’t use encryption, and is vulnerable to several attacks, including spoofing, phishing, SIM swapping, RDP attacks and social engineering.

For most individual users, the additional security of entering OTPs is well worth the inconvenience. But for high-value targets with access to corporate data systems, criminals are working overtime to engineer even a single opportunity to crack this MFA method. Enterprises large and small need better solutions.

Which MFA solutions provide the strongest security?

The overall strength of an MFA solution depends on how secure each authentication factor is in itself, how personalized these factors are, and how many authentication factors and types are required.

For example, a password is far less secure than a proximity or smart card ID, which is essentially impossible to hack, spoof or reverse-engineer. An ID badge is also more personal, as it is a physical object carried by the authorized user while at work. A biometric authentication factor such as a fingerprint is the most unique, as it’s with the owner at all times and can never be misplaced or stolen.

A password alone is better than nothing, but provides a false sense of security. Adding an OTP delivered by text message is a big improvement, but, as we have seen, is still vulnerable. Combining a password with an ID badge, mobile authentication factor or FIDO2 key is far more secure, and this 2FA method should probably be the minimum requirement for any organization that is serious about protecting its data assets.

Adding a third factor—or even just eliminating passwords altogether in favor of a stronger, more personalized second authentication factor such as a fingerprint—can vastly increase security, making your systems virtually hack-proof.

Isn’t MFA difficult and expensive to implement?

No MFA is not particularly difficult or expensive, especially compared to the devastation of a successful exploit against your business. Supplementing your existing password-based authentication with a WAVE ID® credential reader that works with your existing ID badges is a simple way to improve security by 99.9%.

Or, you can achieve the highest levels of MFA security while also eliminating the time and expense of password management. For example, consider that your users could gain nearly instant passwordless single sign-on access with the touch of a fingerprint and tap of an ID badge or smartphone using our all-in-one WAVE ID® Bio reader. We also offer WAVE ID® readers capable of reading both ID badges and mobile credentials, ID badges and FIDO2 keys, or other combinations.

Don’t let fears of expense or other MFA misconceptions get in the way of security you can truly trust. Get our MFA Readiness Playbook to begin planning your implementation. Then get in touch with us at +1 (866) 439-4884 or through our Contact Us form to discuss your MFA future.

Interested to learn more? Get in touch