By Need

By Industry

By Function

Cybersecurity & Risk Management

Why MFA Is Must-have Cybersecurity for Business

We live in an always-connected, multi-device, and multi-platform world. You probably use a MacBook or PC laptop for work. When you’re at the airport or watching your kid at a school event, you’re periodically checking work emails from your smartphone. And you likely have documents and emails stored in the cloud so that your work is accessible across all these devices and platforms.  

However, using standard “enter your username and password” login credentials for any cloud-based resources is a security nightmare for IT leaders. Literally billions of usernames and passwords have been stolen, were posted online, and are exploited by criminals every day. Many users still reuse their corporate usernames (typically their work email address) and passwords—or at least a variation of that password—on personal websites.  

In the recent past, we’ve seen hackers steal millions of user credentials from cloud-first companies like Uber, Twitter, Marriott, Cloudflare, and Twilio. These credential harvesting campaigns are just the beginning for criminal hackers. Even if criminals don’t have the latest password for the username, they’ll follow up with a brute force attack to guess weak passwords, get into the compromised cloud account, and then move laterally inside the corporate network. That’s why every IT department should include a multifactor authentication (MFA) process to secure their employees’ user accounts across all devices and platforms.

What Is Multifactor Authentication (MFA)?

Multifactor authentication (MFA) is a security method that requires users to provide two or more pieces of evidence to verify their identity before accessing a system or service. MFA can prevent unauthorized access to sensitive data and resources by adding an extra layer of protection beyond passwords. Any login with MFA requires a user to present a combination of two or more unique credentials to verify their identity. So, even if one user credential becomes compromised—for example, the user’s password is known or guessed by brute force—the criminal won’t have the second authentication requirement and is blocked from completing the login.

The idea of multifactor authentication is not new. In the ancient times before Netflix (you see this written on wiki pages as “1996 B.N.”), people watched movies in their homes on physical media rented from retail stores like Blockbuster. The movies on physical media were a costly capital expense for the retailer, so the retailer generated profit from many customers paying a few dollars to rent the physical media for a day or two. To protect the retailer against a customer from not returning that physical media, the rental store had customers provide two or more forms of identification to authenticate their accounts.

Exterior of last remaining Blockbuster Video location in Bend, OR, Coasterlover, 2018
Exterior of last remaining Blockbuster Video location in Bend, OR (2018)

Fast forward to our modern cloud-first world where an online account with multifactor authentication is more secure than just relying on an ID and password. That’s because adding a second or third factor compensates for the weakness of that single authentication factor.

More Factors = More Security for Users

It is important to allow more than just one authentication factor for your users. This is so everyone in your organization has access to an alternate MFA option in case their primary option is unavailable. Blue Mantis deploys, configures, and manages multifactor authentication for customers. Two-factor authentication (2FA) is the most common deployment and combines what you know (your password) with what you have using a variety of industry-standard methods including:

  • Voice or text to a phone – These options allow for sending either an automated voice call or text message to the user’s phone. The user can answer the voice call and press the # key on the phone keypad to approve their authentication. The text message has a verification code the user must type into the sign-in interface. “Call to phone” is a great backup method for notification or a verification code from a mobile app if the user cannot receive SMS texts on their phone. 
  • Push notification through a mobile app – A push notification is sent to an authenticator app on a user’s personal or corporate-owned device. The user views the notification and hits the “Approve” link to complete verification. Business IT leaders can set up push notifications using mobile apps such as Duo Mobile and Microsoft Authenticator for both Google Android and Apple iOS. However, if your users travel to China, note that push notifications on Android phones doesn’t work the same way there as they do in the rest of the world. This is a perfect real-world example of why you should always have multiple authentication options for your users. 
  • Hardware security keys Based on the open standards created by the Fast Identity Online (FIDO) Alliance, these small devices store an encrypted private authentication key unique to a user that often includes a biometric component such as a fingerprint. Because hardware keys must be in the possession of the user to authorize the MFA challenge, and the user’s login credentials are stored on the device rather than a server, this security model eliminates not only password theft but also phishing risks.

Even with MFA, You Can Still Get Hacked

Deploying multifactor authentication at your business does not guarantee an employee won’t be the victim of a cyberattack. Sure, MFA helps make users more secure; nothing can protect your employees against 100% of all methods of compromise. Speaking of percentages, there’s been a widely distributed statistic about the efficacy of MFA, claiming for years that it can stop 99.9% of attacks. But if you really think about it, that means every other possible type of attack—from phishing/malware, to insider threats, distributed denial of service (DDoS), and even cloud storage bucket misconfigurations—accounts for the 0.1% of successful attacks. Considering that most of the IT security professionals I’ve worked with estimate that unpatched software is the cause for the majority of successful cyberattacks, it’s obvious that 99.9% statistic is…well, let’s just say  “outdated.” 

The Cybersecurity & Infrastructure Security Agency (CISA) warned that bad actors were exploiting “default MFA protocols and a known vulnerability” to automatically enroll devices for multifactor authentication on corporate networks. The attackers would use a combination of stolen user credentials, automated policies for enrollment of MFA devices, and unpatched software to effectively bypass multifactor authentication and gain full access to the victim’s cloud storage and corporate email. To mitigate damage from these attacks, the best course of action is for an IT department to adopt and enforce zero trust access policies that include MFA as one part of a holistic security strategy.

Setting Up Multifactor Authentication Security at Your Business

The good news is that most providers of cloud-centric IT tools for business have multifactor authentication options for securing user accounts. For example, Microsoft 365 for Business subscribers get a free version of MFA in the cloud called “Entra ID multifactor authentication.” It is a full featured and highly configurable MFA option but is not enabled for all Microsoft 365 users by default. Entra MFA is just one of the many options IT managers and cybersecurity professionals can use to implement multifactor authentication for users. 

However, setting up MFA at scale is often difficult for overworked IT departments. The process can be painful for mid-sized organizations with 200, 500, or over 1,000 employees that don’t have a dedicated cybersecurity expert on staff. For these organizations, using a managed service provider like Blue Mantis can help quickly and successfully configure and manage a multifactor authentication environment. In addition, our cybersecurity experts can work as an extension of your existing IT department to reduce the attack surfaces of your cloud assets, corporate network, and hybrid workforce while improving ease of use for end users. 

Connect with Blue Mantis today and we can assess your current IT environment and recommend ways that MFA can secure your digital assets.

Jay Martin

Chief Information Security Officer

With over 20 years in Information Technology and Information Security, Jay Martin brings a strategic vision and deep technical expertise to his role as VP, Security at Blue Mantis. Throughout his career, he has helped organizations of all sizes achieve service excellence and navigate the ever-evolving cybersecurity landscape. 

Jay is charged with extending Blue Mantis’ hypergrowth in cybersecurity, including assessment of market, customer and partner requirements and overseeing overall positioning and optimizing services delivery. He collaborates closely with the Blue Mantis IT team to ensure the company’s internal security posture and cyber resiliency remain at a world-class level.  

Jay’s background spans various IT disciplines, including network engineering, technical support, operations management, and security. This well-rounded perspective allows him to translate complex cyber threats into practical solutions that align with business goals.  He has a proven track record of architecting security programs, implementing robust solutions, and fostering a culture of security awareness within organizations. 

Before joining Blue Mantis, Jay held leadership positions at several companies, including InteQ Corporation and Hewlett-Packard – NetMetrix. In these roles, he successfully implemented industry best practices like IT Service Management (ITSM) to streamline IT operations and ensure service excellence.  He also leveraged his expertise in IT security and enterprise monitoring to develop comprehensive security programs that met compliance requirements. 

Jay is passionate about staying ahead of the curve. He holds industry-recognized certifications like CISM (Certified Information Security Manager) and actively participates in industry forums. This dedication to continuous learning allows him to lead Blue Mantis’ cybersecurity team in delivering innovative solutions that empower businesses to thrive in the digital age.