MultiFactor Authentication Image

Is One Form of MFA Better Than Another?

Approximatley 77% of cloud account breaches are caused by compromised credentials. Due to the rise of cloud acocunt use, credentail theft has become a major focus of online criminals.

For example, theft of a person's username and password for online account has now become the number on attack ploy used in phishing emails.

Whether you are trying to protect your Microsoft 365 account or Google Workspace account, safeguarding user logins is critical. This can be challenging when users are prone to bad password habits.

Some of the common bad password habits that enable credential compromise include:

  • Reusing the same passwords for multiple accounts
  • Using weak passwords
  • Storing passwords in non-secure ways (like an uprotected Word document).
  • Sharing passwords with other users

The best way to combat poor user password security is to enable multi-factor authentication

for all of your accounts. MFA can block nearly all fraudelent sign-in attempts because the hacker will not typically have access to the device that receives the MFA code.

How Factors Of Authentication Work

There are tyically three factors of authentication for a user account:

  • What You Know: Your username and password
  • What You Have: A physical device that receives an authentication prompt
  • What You Are: Fingerprint or facial recognition scans

When first set up, many accounts use single-factor authentication by default, which is the username and password.

Adding the second factor of "what you have" significantly increases your security.

By How much?

This depends upon the type of multi-factor authentication you use. There are three standard methods, which we will review below. Each can provide a great deal of protection, but some are more secure than others.

On the flip side of that, some are also less convenient than others. Typically, a company will need to balance convenience and security when choosing the type of MFA they want to implement. If MFA is too inconvenient, then users might look for workarounds, defeating the purpose which is to improve your cloud security.

23% of surveyed individuals said that multi-factor authentication is very incovenient.

Comparing 3 Methods of Multi-Factor Authentication

In the comparison below, when get to security, we will be using statistics from a Google-sponsored survey on the effectiveness of different MFA methods.

MFA Study by Google

Method 1: Receiving the code by SMS/Text

Receiving an MFA code by text message is by far the most common method. It also tends to be the most convenient for people because they are used to receiving text messages on their phones.

This method has the lowest level of security of the three. The reason for this is that some forms of mobile malware can infect a device and replicate a SIM card. This would allow the hacker to receive any messages that, that particular phone had received.

Google Study Results for Method 1:

  • Effectiveness against targeted attack: 76%
  • Effectiveness against bulk phishing attack: 96%
  • Effectiveness against automated bot attack: 100%

Method 2: Receiving the Code by Device Prompt/App

Another method that is used often for MFA is using an authentication app on a device. The code is not tied to a mobile phone number in this case but will typically be received on the device via a device prompt.

This method is slightly less convenient than SMS because users will have to install an authenticator app and then attach their cloud acocunts that are using MFA to the service.

This method is more secure than SMS because the code is not coming into a specific mobile number.

Google Study Results for Method 2:

  • Effectiveness against targeted attack : 90%
  • Effectiveness against bulk phishing attack : 99%
  • Effectiveness against automated bot attack : 100%

Method 3: Using Security Key To Authenticate

The most secure method of multi-factor authentication is the use of a security key. These are very small gadgets, smaller than a USB drive in many cases, that can be inserted into computers, laptops, and mobile devices to authenticate a login.

This is the costliest method because companies do need to purchase the security key for their users. They also must deal with lost security keys from time to time. Just like auathentication apps, you will need to set up your accounts with the security key site.

While less convenient, this is a good method to use for users that have access to particularly sensitive information like company bank accounts because it is the most secure one.

Google Study Results for method 3:

  • Effectiveness against targeted attack : 100%
  • Effectiveness against bulk phishing attack : 100%
  • Effectiveness against automated bot attack : 100%

Need Help Improving Your User Authentication Process?

Do not leave your accounts at Risk! XpressteX can work with your Business to put password authentication methods in place that secure your accounts without hampering users workflow.

Contact us for a free consultation. Call 1300 991 030 or Contact Us Online

Book A Consultation