What is two-factor and multi-factor authentication?

What is multi-factor authentication (MFA)?

Multi-factor authentication helps protect personal and sensitive information, going beyond a username and password to help safeguard accounts with two or more authentication methods. 

Two factor authentication (2FA) vs multi-factor authentication (MFA)

Two-factor authentication (2FA) and multi-factor authentication (MFA) are similar security methods that add extra layers of security to accounts beyond just a password.

2FA specifically requires two forms of authentication, whereas MFA, on the other hand, extends this by requiring two or more authentication factors to identify a user,

While 2FA is a subset of MFA, the latter provides more flexibility and protection by using multiple authentication methods for added security.

Why is MFA essential for your business?

Cybercriminals can use automated tools to predict passwords. Research we commissioned with youGov found one in 10 Australians use a generic password like ‘password’ or ‘123abc’. And if you’re amongst the 78% of people who use the same password across multiple accounts you’re exposing those accounts to cybercriminals who have stolen the reused credentials. 

How does two-factor and multi-factor authentication work? 

Two-factor and multi-factor authentication helps add an extra layer of security. If a cybercriminal discovers a password, they still need other information to access a user’s account. 

Here is a simple breakdown of the multi-factor authentication process:

1. Login Attempt: Users enter their username and password on a login page as the first layer of security.
2. Additional Verification: After the password is accepted, the MFA will prompt users to provide an extra layer of verification, such as an SMS code, fingerprint scan, or a security token.
3. Verification Completion: Users enter the additional verification information (e.g., the code or biometric scan).
4. Access Granted: Once the second (or third) factor is verified, access is granted to the user’s account.

3 main types of authentication methods

Generally, two-factor and multi-factor authentication methods can be classified into three different groups. We explain these below. 

1. Something you know - This is a password or PIN number a user provides when accessing an account or information.
2. Something you have - This can be a physical device, most often a mobile phone. It can also be a security token or smart card. This type of authentication may involve receiving a one-time password via SMS or an app. These include Google two-factor authentication or Microsoft two-factor authentication. 
3. Something you are - This is usually biometric data. It can be a fingerprint or facial recognition that is stored, confirmed and authenticated on your smartphone or device. 

Implementing two-factor and multi-factor authentication 

To help boost your cyber defences, here are some steps to consider: 

• Understand your needs and potential risks  - A risk assessment helps identify where stronger authentication can enhance your cyber resilience. Consider where threats might come from and where you keep sensitive data. 
• Consider what authentication method best suits your business - As noted above, there are many forms of two-factor and multi-factor authentication. Consider your business needs as well as how your employees would use it. Their experience is also important. There are also hardware tokens, which can receive one-time passwords, as well as authentication solutions such as Microsoft Azure and Okta. 
• Integrate with your existing technology - Consider how two-factor and multi-factor authentication can integrate with your existing business software and employee devices. 
• Provide training and support to employees - Technology is only as good as the people using it. Provide training to your team on how to use two-factor and multi-factor authentication. And to only approve authentication requests they recognise. Plus, embrace opportunities to upskill your own knowledge in this dynamic and evolving landscape. 
• Discuss the importance of updating passwords - A password manager can help people create, save, manage and use passwords across different online services. 

Learn more about developing a cyber secure mindset to upskill your team and help protect your business. 

Track and improve your chosen authentication method 

Cyber risks and threats are forever changing. Consider the effectiveness of your chosen authentication method regularly. And if needed, make adjustments. 

Using two-factor and multi-factor authentication to help protect your business 

Here are some ways two-factor and multi-factor authentication can help protect your sensitive business information: 

• Remote access to corporate networks or applications - If you’ve adopted remote working, people may access company systems using unsecure public or home networks. Two-factor and multi-factor authentication can help add extra layers of protection. Same goes for accessing work assets on mobile devices. Learn more about how to protect workplace mobile devices. 
• Email access - Some businesses only require employees to use a username and password to access their emails. Unfortunately, cybercriminals are aware of this. Email is a common target for phishing attacks. 
• Two-factor and multi-factor authentication can help ensure the right people have access to business emails. 
• Physical access - In some workplaces, people may use a PIN to access secure areas like server rooms. Using a smart card or authentication key can help further strengthen defences. 
• Account admins - Two-factor and multi-factor authentication can help protect your most important business accounts. This includes senior leaders as well as people with privileged access to sensitive systems like IT and finance. 

Why is two-factor and multi-factor authentication important? 

Beyond helping to enhance security, two-factor and multi-factor authentication has several benefits. 

Regulatory standards outline the use of multi-factor authentication. It’s part of the Essential Eight mitigation strategies developed by the Australian Cyber Security Centre (ACSC), helping to protect against cyber threats. Implementing stronger authentication methods may help boost your compliance. 

Two-factor and multi-factor authentication can also help safeguard against ‘credential stuffing’. This is where a stolen username and password from one login helps cybercriminals gain access to other online systems. 

Simple passwords can be easy for cybercriminals to guess. But forcing people to use complex passwords can also create challenges. 

Employees may struggle to remember them or write them down. This places them subject to compromise. Password managers help remove this burden while two-factor and multi-factor authentication layers extra defences in the event those credentials are compromised. 

Prioritise a proactive cyber security strategy 

Implementing two-factor and multi-factor authentication is now more accessible for small businesses. Authentication apps for employees to confirm their identity are also more prevalent. This helps add extra layers of security where it’s needed most. 

Two-factor and multi-factor authentication is a proactive measure. It helps your business stay compliant and aligned with best practices in modern cyber security.