top of page
Search

Understanding multi-factor authentication (MFA): A guide for SMEs and micro-businesses

Rarely does a blog or newsletter go by without the WCRC advocating the use of multi-factor authentication (MFA), because we recognise safeguarding your organisation's sensitive information is paramount. MFA is one effective measure to enhance your security, also known as two-factor authentication (2FA). Let’s explore what MFA is, its importance, and the risks associated with not using it.





What is Multi-Factor Authentication (MFA)?


MFA is a security process that requires users to provide multiple forms of verification to access an account or system. By combining two or more of these factors, MFA significantly enhances security compared to single-factor authentication, which relies solely on passwords.


Why is MFA Important for SMEs and Micro-Businesses?


Small and medium-sized enterprises (SMEs) and micro-businesses are increasingly targeted by cybercriminals due to their perceived vulnerabilities, and often smaller budgets to allow for implementation of cyber security. Implementing MFA is a step that all businesses can take to enhance their security as even if a password is compromised, the additional authentication factors make unauthorised access much more difficult.


Failing to adopt MFA can leave your business exposed to cyber-attacks, with single password accounts being more vulnerable to compromise, potentially allowing the attacker full access to your systems. This could lead to the attacker accessing your sensitive customer data, business information, damaging your reputation and potentially resulting in fines for non-compliance. Cyber incidents will also likely result in significant financial losses due to fraud, remediation costs, and impact on your business continuity.


Exploring the Different Types of Multi-Factor Authentication


When implementing Multi-Factor Authentication (MFA), the National Cyber Security Centre (NCSC) recommends using the strongest and most secure methods available. The order of preference is based on security strength, usability, and accessibility.


  1. FIDO2 Credentials – The most secure option, FIDO2 authentication uses public-key cryptography and can be built into trusted devices (like laptops or smartphones) or hardware security keys. It provides strong protection against phishing and password theft.


  2. Challenge-Based Authenticator Apps – Apps like Microsoft Authenticator and Google Prompt send a push notification that requires user approval. This method strengthens security but can be vulnerable to "prompt fatigue" attacks.


  3. App-Based Code Generators – Apps such as Authy or Google Authenticator generate one-time passcodes (OTPs) that users must manually enter. While effective, this method is still susceptible to phishing.


  4. Hardware-Based Code Generators – Physical tokens that generate OTPs offer an alternative where mobile devices aren’t permitted but managing and distributing hardware tokens can be challenging.


  5. Message-based Methods (SMS, Email, or Calls) – These are the least secure MFA methods, as they can be intercepted through phishing or SIM-swapping attacks. They should only be used when no other option is available.


Prioritising the strongest MFA options ensures better protection against cyber threats while maintaining ease of access for users.


The NCSC also provides comprehensive advice for organisations on implementing strong MFA methods for accessing corporate online services. Key recommendations include:


  • Prioritise High-Risk Systems: Implement MFA on systems that hold sensitive data or are critical to business operations.


  • User-friendly Solutions: Choose MFA methods that balance security with usability to encourage employee compliance.


  • Regular Review: Continuously assess and update authentication methods to address emerging threats and vulnerabilities.


For detailed guidance, refer to the NCSC’s collection on multi-factor authentication for corporate online services.


Conclusion


Implementing multi-factor authentication is a crucial step for SMEs and micro-businesses to protect against the growing threat of cyber-attacks. By requiring multiple forms of verification, MFA adds a robust layer of security that can safeguard your business's sensitive information, maintain customer trust, and ensure compliance with regulatory standards.


Investing in MFA is not just a technical upgrade but a strategic move towards a more secure and resilient business environment. If you’d be interested in receiving more guidance on protecting your small business from cybercrime, sign up for free membership.

Comentarios

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect the most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Cyber Essentials partners if you need specific support. For specific questions please contact us at enquiries@wcrcentre.co.uk.

 

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document.  It is not responsible for the content of external internet sites that link to this site or which are linked from it.

USEFUL LINKS

Home

About Us
Contact Us

Annual Report 2024

Privacy Policy
Terms and Conditions

Contract Terms and Conditions
Legal Disclaimer

Wales Logo 4.png
  • Twitter
  • Facebook
  • Youtube
  • Linkedin
cyberessentials_certification mark_colour .png
chambers-wales-member-medium-con-2-1.png
cyberessentials_certification-mark-plus_colour.png
Banner Highly Commended.png
bottom of page