Despite being widely available, uptake of multi-factor authentication has been slow and we need to change that. We talk about passwords a lot in the NCSC, but, it doesn't matter how 'good' your password is, it is not enough to secure access to valuable online services on its own.
Today, we've published our Multi-factor Authentication (MFA) Guidance for Online Services, which has been designed for enterprise services in larger organisations. Multi-factor - also called two factor authentication (2FA) or two step verification1 - is an extra layer of security for online services. Asking users for another bit of evidence in addition to their password means attackers with a stolen password still can't access the online service. Multi-factor is already built in to a wide range of services such as email, cloud file storage, social media pages, online marketplaces and payment methods, and it will usually be a case of just switching it on. There are a number of different 'bits of evidence' that a service can ask for and these options are all covered in the guidance.
Why you need multi-factor authentication
The bad guys have got really good at compromising passwords and they have a lot of tools at their disposal. Using a separate password for every service protects you against some of these, but not all, and it's impossible for someone to do this across all their passwords without help of some kind. Multi-factor authentication (MFA), on the other hand, buys a lot of additional security for relatively little pain, and this is always going to be a good thing. Organisations of all sizes can use MFA to protect both the services that are absolutely vital to the day-to-day business of your organisation, and your information and/or money that are tempting to cyber criminals.
But multi-factor isn't perfect…
No it's not. But MFA does make things a whole lot better. Yes, a password is easy to steal or guess, and yes, the second factor can also be quite easy to steal. But stealing a matching pair is much much more difficult than just stealing just a password, and 'just a password' is where we are right now. This needs to change.
What about personal accounts?
Our guidance has been designed for enterprise, but multi-factor authentication is available for everyone on many consumer online services, where it is more often called two factor authentication (2FA) or two step verification. Whatever it is called, it is just as valuable for individuals and we strongly recommend that everyone switches it on for their email (if possible) and any other online service they care about. The website https://www.turnon2fa.com contains instructions on how to set it up for a wide range of popular services.
Which factor is best?
Some factors are more difficult to steal than others, but the key benefit of MFA in most situations is the need for a matching pair, rather than the inherent strength of the second factor. Therefore, the best option will probably depend on the use case in your organisation (for example managed devices might not be suitable for everyone and SMS messages will be useless in an area with poor mobile phone signal). We've listed all the main options in the guidance so you can compare and find one or more options that will work for people in your organisation.
Saying that, there are some that we do not recommend. These are the ones that require a second piece of knowledge, and essentially act as a second password. We have previously discussed the issues with security questions, but in short, additional knowledge factors buy very little additional security and can be difficult to use for your end users. We've included them in the guidance for completeness, but this isn't an endorsement.
Does this make things harder for the users?
Not necessarily. Some factors (like managed devices) should be pretty much invisible to the users and you get all the nice security benefits without any extra work on their part. Others, like apps and tokens, need users to do a little extra work but even then this can be kept to a minimum. Many services have a 'remember my device' option that means that the second factor doesn’t need to be used again if the user always uses the same device. And if you have multiple services that need a second factor you might be able to use a single app or token for all of them, reducing the effort required to setup and use it.
But... what if the service doesn't offer MFA?
Unfortunately multi-factor authentication isn't available on all services yet. Due to the low take up, many services just can't see any demand for it. Those that do offer it often hide it in 'advanced settings'. If the service really doesn't offer multi-factor, and it is an important account, you need to ensure that this one really does have its own separate password, to reduce the chances of the password being compromised elsewhere. You might even want to consider using a different service that does offer a second factor, to ensure that your valuable accounts are sufficiently secure.
Sociotechnical Security Researcher
1. Traditionally multi-factor authentication (MFA) or two-factor authentication (2FA) is considered to be a different thing from two step verification. This was because the second step was often another password of some description and it is easy to do 'two-for-the-price-of-one' attacks when stealing multiple passwords. Therefore the second step doesn't buy much additional security. But, many services have taken to calling their multi-factor solution 'two step verification' regardless of what they actually offer as a second factor (maybe because they don't want to get into the argument of what is and isn't 'true' multi-factor). The upshot of this is that when we go around telling people to set up '2FA' or 'MFA', they can't find anything like that in their account and this makes everyone's lives difficult. It's unlikely that this is going to change any time soon, so if we use the terms interchangeably it is because that’s what people see in their accounts and it helps get the message across.