What is Multi-factor Authentication (MFA)?
MFA is the use of more than one method of authentication to prove your identity when you connect to a computer system. Examples of authentication methods might include:
- Something you know, e.g. a password or PIN
- Something you have, e.g. a smartphone app that creates a token, a separate token device, or a text/e-mail sent with a one-time passcode
- Something you are, e.g. a fingerprint or retina scan
MFA is usually used for remote connection to systems, such as logging in to a remote desktop or accessing e-mails in a web browser. It might also be used inside your network to access particularly sensitive data.
In some cases, you may also see references to two-factor authentication, or 2FA. This is the same as MFA, but specifically means you have two authentication factors (rather than three or more).
Why should I use MFA?
If all that protects your systems is a password, anyone with your password can access your systems. Criminals can get past passwords various ways:
- They might trick an employee into revealing their password by hosting a fake website that looks like your e-mail provider.
- They might access a collection of passwords that have been leaked on the internet. If your employees re-use passwords across multiple systems (as many people do), then a data breach at their gym for example, could reveal their password to access their company e-mail.
- They might use a program that guesses common passwords, or guesses every possible combination of letters, until it finds the right password. Simple passwords like ‘password’ or ‘football1’, as well as short passwords, are particularly likely to be cracked in this way.
By having MFA in place, even if someone does crack your password, they still can’t access your systems because they don’t have the other authentication factor.
Why do insurers require MFA?
Recent research suggests that 99.9% of account compromise attacks can be blocked by MFA and that 94% of ransomware victims investigated didn’t use MFA¹. Put simply, MFA stops one of the easiest options for criminals to enter your systems and by stopping criminals getting in, you avoid making a claim on your cyber insurance.
If you already have cyber insurance, or are considering cover, you should look into MFA early to avoid any potential issues when renewing or getting cyber insurance.
If you don’t have MFA you may still be able to buy cyber insurance, however, this will depend on the size of your company and how exposed you are to cyber risks. If you have questions about cyber insurance, please contact us and we’ll advise you on your risks and what cover you require.
For more information and guidance, get in touch on 0300 008 5555 or contact your usual team.
Source: ¹Multi-factor Authentication Overview – Travelers 2021 (Link to Travelers document – to be hosted on SW website)
Category: Commercial Insurance