Securing critical business systems from cyber-attack can be a complex task, with a seemingly endless array of methods available to choose from, each with pros and cons. To help focus our efforts there are various cybersecurity models and frameworks available such as The Essential Eight Maturity Model and the NIST Cybersecurity Framework, both of which offer excellent guidance on improving your cybersecurity posture.

Irrespective of which cybersecurity framework you choose, and which strategies you decide to pursue, there is one cybersecurity control that should be a no-brainer in every organisation, and that’s Multi-factor Authentication.

What is multi-factor authentication?

Multi-factor authentication is an authentication method that requires a user to provide two or more verification factors in order to prove their identity, and gain access to a secure system. In many cases this will mean the user providing their usual password along with some other unique and verifiable piece of information.

There are three main forms of multi-factor authentication in common use:

  • Unique code: In addition to their password the user will be prompted to enter a unique code that they obtain either via a text message, or via an authentication app installed on their smartphone. These codes are valid only for a very short duration, often 60 seconds, before a fresh code is required to successfully complete authentication.
  • Authentication app: When the user attempts to logon to a secure system with their username and password, a prompt will appear on a special authentication app installed on their smartphone. They then simply tap to accept the prompt, and authentication will proceed.
  • Biometric: Every one of us has unique and verifiable biometric features, such as our fingerprints and facial appearance. These unique features can be scanned and used as a second authentication factor.

Why you should enable multi-factor authentication whenever possible

Unfortunately, multi-factor authentication isn’t always enabled by default on the systems that you use, even though it most likely is available as a feature. Until you actively choose to enable MFA on each system that you use, you won’t receive the extra value that it offers, leaving critical business systems potentially exposed to cyber-attack.

So, what are the top 3 reasons to enable MFA?

#1 – MFA protects accounts from unauthorized access

The traditional approach of only requiring a username and password to logon to a secure system is unfortunately not actually very secure, particularly as cyber-criminals become increasingly more determined.

Usernames are often easy to discover, often just being the user’s email address. Passwords can be hard to remember, particularly with so many different systems and passwords to keep track of, so people tend to pick simple ones, or use the same password on many different systems, all of which makes them easier to crack.

Multi-factor authentication on the other hand is extremely effective at protecting user accounts from unauthorised access. This is why most online services make MFA available, and why many such as banks have made MFA compulsory. Even if a cyber-criminal were to obtain your username and password, without access to your second authentication factor they would still not be able to access your user account.

#2 – MFA can enhance the user experience

Multi-factor authentication offers several opportunities to enhance the user experience and, in the process, improve productivity, efficiency and user satisfaction. Single sign-on services that user multi-factor authentication allow users to sign-on once, and then be automatically and securely authenticated into multiple other systems, negating the need for them to sign-on to each system individually.

Biometric multi-factor authentication can alleviate the need to manually enter any authentication details at all. A single fingerprint touch, or a glance at the camera in your laptop can be sufficient to securely login.

Finally, contrary to long held wisdom, the current guidance from security experts such as Microsoft and the NIST is to not force users to change their password periodically, but instead to let them keep the same password indefinitely – on the condition that the password chosen is long, complex, and multi-factor authentication is in use.

#3 – MFA can help comply with standards & regulations

As many organisations seek to push cybersecurity compliance down through their supply chains, demonstrating the maturity of organisational cybersecurity is rapidly becoming a requirement for many government and commercial dealings.

Aligning with a broadly recognised cybersecurity framework such as The Essential Eight or the NIST is an effective and widely adopted approach to not only improving cybersecurity posture, but also being able to demonstrate that maturity to partner organisations when required.

Multi-factor authentication is identified as an essential security control in not only the major cybersecurity frameworks, but also directly in many commercial engagements such as cyber-insurance policies.

Watch our free on-demand webinar now: The Essential Eight Cybersecurity Maturity Model


Multi-factor authentication should be a non-negotiable requirement in every organisation’s cybersecurity strategy. Not only does it provide an effective layer of protection against user account breach, but it can enhance user experience and productivity, while also helping to align the organisation with widely recognised cybersecurity standards.