Cybersecurity Awareness Month: Multi-Factor Authentication

This week, we’re continuing our Cybersecurity Awareness Month series on strengthening your digital defenses. We’re moving beyond passwords—the "first line of cyber defense"—to focus on the critical practice of multi-factor authentication (MFA)!

In the modern threat landscape, relying solely on a password—even a strong one—isn’t sufficient to adequately protect your digital world. Passwords are vulnerable to common exploits such as breaches, credential stuffing, phishing schemes, and malware. Once malicious cyber actors compromise a password, they can gain unauthorized access to accounts, risking financial loss or identity compromise. MFA puts another barrier in their way!

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication (MFA), sometimes referred to as Two-Factor Authentication (2FA), is an electronic authentication method where a user is granted access only after successfully presenting two or more distinct types of evidence (or factors) to verify their identity.

This layered approach dramatically reduces the chances an attacker can breach an account, even if one factor (like a password) is compromised. Accounts with MFA enabled are significantly less likely to be compromised.

A strong MFA system requires proof from different categories of authentication factors:

1. Something You Know: Knowledge factors such as a password, PIN, or passphrase

2. Something You Have: Possession factors involving a physical device or object in the user’s control, such as an authenticator application, a security key, or a smart card

3. Something You Are: Inherent factors, primarily biometrics like a fingerprint or face scan

MFA ensures that even if an attacker acquires a legitimate password (Something You Know), they still face the hurdle of needing the second factor (Something You Have/Are).

Practical Example

Imagine you get an email from “your bank” about needing your confirmation for a large, unexpected transaction. You log in through the provided link and, after you’ve hit “submit” on the login form, you realize the website URL is actually www.yourbank.com-evilphishingschemehahaha.biz! With MFA, you still have another layer of protection that hackers would need to get through before they can start writing checks from your account!

The CMMC Imperative: MFA as a Foundational Control

For defense contractors, MFA is explicitly mandated by the Cybersecurity Maturity Model Certification (CMMC) framework. Implementing MFA is a crucial achieving compliance, particularly at Level 2. In fact, the importance of this control is underscored by its status within the compliance process:

• MFA Cannot Be Deferred: At CMMC Level 2, organizations may address minor gaps through a Plan of Action & Milestones (POA&M) to achieve Conditional Status. However, MFA is listed among the foundational security practices that cannot be deferred using a POA&M. Implementing multifactor authentication must be live before audit day.

• A Core Requirement: The CMMC practice IA.L2-3.5.3 requires the use of multi-factor authentication for local and remote access to privileged accounts as well as for network access to non-privileged accounts.

Implementing MFA makes it more difficult for a threat actor to gain access to critical information systems, including email and remote access technology, even if passwords are compromised.

Taking Authentication to the Next Level: Phishing Resistance

While using any form of MFA is better than relying on only a password, it is important to understand that not all MFA methods provide equivalent security. Some methods, such as SMS-based codes or One Time Pins (OTPs), can be susceptible to attacks like MFA bombing (also called MFA fatigue)—where attackers continually send MFA prompts to your device hoping you'll accidentally hit "OK" and unintentionally give them access!

For this reason, organizations implementing multi-factor authentication mechanisms should strive to utilize phishing-resistant MFA. One of the most widely available phishing-resistant authentication methods today is FIDO2/WebAuthn, which also powers passwordless sign-in (passkeys).

For applications that protect sensitive information or for users that have elevated privileges (such as administrators or security personnel), organizations should be enforcing phishing-resistant authenticators. If phishing-resistant MFA is not currently feasible, organizations should consider methods like number-matching MFA (such as what's used by Microsoft Authenticator and Okta Verify) to block mobile push bombardment and SMS-based attacks.

Secure Your Accounts: Enable MFA Today

Whether you're an organizational with access to government data or a regular internet user, we strongly recommend enabling MFA on any accounts which offer it—especially email and financial services. You can usually find options to enable MFA in the "Security" settings of online accounts.

Up Next: Is Skipping Software Updates Leaving You Vulnerable?

Next week, we’ll continue our Cybersecurity Awareness Month series by discussing the importance of promptly installing software updates. We know it’s a pain to stop in the middle of what you’re working on to install an update and/or reboot, but software updates are a critical way to ensure you aren’t leaving the door open for attackers! We’ll talk about why that is and how you can keep yourself and your software up-to-date on the latest protections!