In Insights

2FA vs MFA – What’s best for your business?

Heather Hawkins

Author Heather Hawkins

Adding extra layers of authentication to your login process has become critical to protect user accounts, your assets and any data you hold. Cybercriminals have spent decades perfecting ways to crack single-factor security – usually only a password.

While two-factor authentication (2FA) is becoming increasingly popular, some may not feel this is enough to protect their business or their customers’ data. That’s where multi-factor authentication (MFA) comes in, but what is the difference between them?

We’ll explore what 2FA and MFA is and their differences to enable you to make an informed decision about what’s right for your organisation.

What is two-factor authentication (2FA)?

2FA, which is sometimes referred to as 2-step verification, requires 1 additional authentication of your identity. In most cases, this extra layer is in the form of a unique code you must submit which is sent via SMS, a push notification to your phone or from a relevant authentication app.

What is multi-factor authentication (MFA)?

MFA goes beyond 2FA. It requires a user to present 2 or more pieces of evidence to verify their identity. It doesn’t remove the age old practice of a username and password instead, it builds upon this.

There are 3 common types of authentication which are used to verify users:

  1. Knowledge (Something you know) – a password or an answer to a question which is personal to you.
  2. Possession (Something you have) – a security key, a token or unique code.
  3. Inherence (Something you are) – Most commonly, this is a unique biometric identifier such as a fingerprint, voice recognition or facial recognition. An alternative, more complex version of this, is behavioural characteristics. How we hold and use things varies significantly from person to person and can be a telltale sign of who’s using the phone, tablet or computer. Behavioural patterns can be found in how we type (keystrokes), how we use a mouse or how we hold and interact with a phone or tablet.

According to Microsoft, MFA blocks 99.9% of attacks on user accounts making it a remarkably effective way to stay safe.

What are the costs of multi-factor authentication (MFA)?

While we can’t give precise costs for MFA as each set of factors and technologies will vary for each organisation and therefore so will cost. What we can give is an indication of where costs may be incurred for MFA. The essential areas are:

  • Implementation: These costs include the purchase and implementation/adoption of the technology. This will include any configuration costs and fees for cloud based identity and access management systems that are required. Some set-ups will use tokens or USB keys which have additional costs attached to them along with complexity of distributing said token or keys; however, this practice is less common nowadays.
  • Maintenance: As with any system or platform, they will require updates, patches, configuration management services and monitoring for security and compliance issues. This cost can be either internal resource costs or support from a third party provider.
  • Training and Onboarding: New systems require training, onboarding and integration. Users will need their identity connecting to the new authentication system and formal training and documentation created on how to use it.

Another consideration is whether you require an on-site solution or whether it’s purely digital for cloud based services. For the latter, your investment will be dramatically reduced in comparison to that of an on-site system.

Multi-factor authentication (MFA) in the workplace

In a post-Covid world, the workplace is constantly evolving and adapting. Organisations need advanced security solutions to manage complex access needs with remote and flexible working. Enter Adaptive MFA.

Adaptive MFA, as the name suggests, adapts to the user’s current situation. It evaluates the risk of a user when they request access by looking at information such as their device and location for context.

For example, if a team member logs on to a business system from within the office, on the office network, they are in a trusted location and may not require additional authentication. However, the same team member then requests access while walking around town on his mobile, or is on an unsecured wifi network, they would need additional levels of authentication to verify themselves because they’re using an untrusted location, device or connection.

Adaptive MFA doesn’t just apply to whether a user is utilising a trusted device or connection. It can also be used to limit the information an employee can gain access to. Some organisations need different levels of security clearance for access to certain data. Adaptive MFA would allow different levels of authentication for different grades of sensitive data.

Is multi-factor authentication (MFA) worth it?

There’s no denying that the more layers of security you have in place the less likely it is that you’ll succumb to an attack. McAfee reported that global cybercrime costs businesses roughly $1 trillion annually, it feels like a no-brainer to work towards MFA.

Really, this question comes down to what kind of data you hold within your organisation and what kind of impact, both long and short term, a cyber attack would have.

What is definitive is that cyber attacks are becoming increasingly common and sophisticated. MFA can mitigate a number of attacks including phishing or database hacks.

While MFA is a significant investment especially in the current economic climate, it quickly provides a solid return by preventing breaches where you have sensitive data to protect or a threat of attack has a huge financial impact.

Security goes beyond your users’ login details, for secure hosting options to keep your site locked down from cybercriminals get in touch with our team.