There has been a huge push for organizations to implement multi-factor authentication (MFA) in their environments, and for good reason! Passwords/Passphrases are the first line of defense but what if a user is phished and provides credentials to an attacker? That’s where MFA can save the day.
MFA forces a user to identify themselves by validating at least two characteristics that are unique to them. These can be:
- Something you know
- Something you have
- Something you are
It’s common to implement two-factor authentication by requiring a password (something you know) and passcode sent to an app on the user’s phone or via token (something you have) to access a system. Requiring more than a username and password to access systems gives an extra layer of protection if credentials are compromised.
While it can provide additional security, MFA is not bullet proof. Users will still need educated on how to use it and when to use caution. If a user gets a notification for MFA that they did not initiate, they should know to whom and how to report it. It is also possible that a phishing email may prompt a user to accept the MFA notification when it is received. Training on phishing and when to/when not to accept an MFA notification is necessary and important.
Implementing MFA across your environment can take time and can be seen as inconvenient by users. However, MFA is becoming an expectation in healthcare organizations as cyber-attacks continue to rise. Many states have started mandating healthcare organizations implement at least a two-factor authentication for some activities. As far as convenience to users, once MFA is implemented on one system it will become second nature. The organization being introduced to MFA will make it easier to implement across the environment!
