Project Description

Default security settings are rarely the best. Why Multi-factor Authentication (MFA) is a must-have

One of the remarkable realities of information security is that many of the hacks, breaches, bust-ups, and heists happen because of existing bugs or vulnerabilities. This tells you that avoiding a hack is often as simple as keeping your software up to date. Because someone else probably hasn’t, they’ll become the victim before you do.

In a similar vein, there’s this ‘one neat trick’ which makes you a much smaller target than anyone else. And that trick won’t cost you anything extra in terms of software licensing. It’s Multi-factor Authentication, which should be an integral component of every Identity and Access Management (IAM) solution and data protection initiative.

Mathew Jose – Chief Information Security Officer

Mathew Jose – Chief Information Security Officer

But all too often, it’s not.

MFA is nothing more complex than a ‘triangulation’ approach to access. You simply use a combination of ‘things’ before getting into that system, application, database, or device. For example, you might combine something you are (biometrics), with something you know (password). Or, you’re sent a One Time PIN or password, to something you own – like your smartphone.

With MFA, you know how it works, you know why it works, and we all know why it should be the default. It’s a cheap and highly effective way of keeping hackers at bay.

So why doesn’t everyone have MFA as the default?

For starters, MFA often isn’t the default even when it’s available as a standard feature in many software products. Scour the internet, and you’ll find plenty of commentary advising that default security settings are almost always a bad idea (like this one, involving Microsoft Teams). That means hackers know your exact system setup. After all, it’s not exactly a secret!

The reasons for leaving the defaults are often pretty simple. Letting sleeping dogs lie is easy, especially when there’s a tonne of other priorities. MFA can be a bit clunky and hamper access, so there’s a potential convenience issue. There’s even a name for it, MFA fatigue.

Hackers take advantage of it with MFA fatigue attacks. And, of course, there are tens or even more applications – all of which want specific configuration sorted out, compounding the whole issue.

Weighing things up

If MFA sounds like a hassle or an inconvenience, consider instead the hassle and inconvenience of a hack. What we’ve seen from bitter experience, is that those who have suffered a preventable breach instantly become MFA’s biggest fans. They get a new appreciation for the value of data protection after experiencing the unpleasantness, stress, financial and reputational burden of a data breach.

Our advice is to use a single source for Identity and Access Management (IAM). Where possible, reduce the MFA hassle factor with Single Sign On (SSO).

But more than anything is that if your software offers MFA, use it. Review settings, check configurations, and take advantage of native protections. You already have the tools, now let’s apply them.