Is Multi-factor Authentication Worth the Cost?

What is Multi-factor Authentication?

Let’s begin by defining multi-factor authentication: Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.

Authentication has traditionally been done with a username and password only – which is not a great option because a) usernames are easy to discover (often just your email address which is something you’ve likely shared widely) and b) passwords can be hard to remember so most people tend to pick simple ones, or use the same password across many sites (61 percent of people use the same password on multiple services).

According to data from LastPass as of March 15, 2022, only 26 percent of companies currently use multi-factor authentication in the U.S., even though 81 percent of security breaches are due to weak or stolen passwords.

Many online services (banks, social media, online shopping) have therefore begun to add MFA, also known as two-step verification, to keep accounts more secure. It is quickly becoming essential protection for any kind of sensitive information.

How does it Work?

When you sign into an account for the first time on a new device or app (like a web browser) you need more than just the username and password. You need a second “factor” to prove who you are. This second factor can be a code that is texted to your phone number, a unique link sent to your email, or perhaps using an authenticator app like Microsoft Authenticator.

Reasons to Implement Multi-factor Authentication

Security of information. Compromised passwords are one of the most common ways that nefarious characters can get access to your data, your identity or your money (See statistics above). Using multi-factor authentication is one of the easiest ways to make it a lot harder for them.
It doesn’t add that much inconvenience to logging in. You won’t have to do the second step very often. Often people worry that multifactor authentication is going to be really inconvenient, but it’s typically only used the first time you sign into an app or device, or the first time you sign in after changing your password. After that you’ll just need your primary factor, usually a password. The extra security comes from the fact that somebody trying to break into your account is probably not using your device, so they’ll need to have that second factor to get in.
Using MFA along with Single Sign-On (SSO) is a great way to increase password strength and security while also limiting employee frustration (because employees only have to remember one strong password). Pairing SSO with MFA allows for verification of user identity prior to that user logging into any application or network you want to maintain control over.
If passwords are stolen but MFA is enabled, a hacker won’t be able to penetrate the system without the second factor of authentication needed to get into the account.
Phishing emails are successful 47 percent of the time. In a test run by Duo Security, in more than 4,000 phishing campaigns, nearly half have been successful in capturing at least one set of credentials. Without secondary authentication, an average internet user is still likely to fall victim to one of these phishing attacks.
The use of MFA could prevent as much as 80-90 percent of cyber attacks according to data from the US national security cyber chief.

My guess is that after all of this, you are pretty convinced (if you weren’t already) that MFA is a good idea. So – is it worth the cost?

How much does MFA cost?

If you’re already using Microsoft 365, there likely is no additional licensing cost for you to utilize multi-factor authentication. Instead, the only cost would be a one-time project fee to configure the backend systems and help train and onboard your team with the new login tools. There are other third-party services that can cost anywhere from $1.40 to $9.00 per user account per month. Despite these costs, MFA can end up saving you tens to hundreds of thousands of dollars in the end.

The verdict

Between backup fails, email infiltration and open-source intelligence exposure (taking bits and pieces of data shared on social media sites such as birthdays, phone numbers, email addresses etc.), the opportunities for your business to be compromised are numerous and varied. Professional hackers even know how to figure out passwords just by exploring your interests that are shared publicly on social media sites.

When you consider the level of risk that could be associated with your business without MFA, it quickly becomes clear it is worth it a hundred times over to pay the fees for MFA and protect your business from 10-100x the potential financial loss if you are attacked.