Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. Secure Our World
  3. Require Multifactor Authentication
Share:
Secure Our World Hero Image

Require Multifactor Authentication

Make your business significantly safer from online threats.

Multifactor Authentication Provides Extra Security

Your company’s intellectual property, employee personal information, customer information and other data are prime targets for criminal activity. Passwords alone are not always effective at protecting your organization’s data. In fact, weak or stolen passwords are common entry points for online criminals.  

Multifactor authentication (MFA) requires two or more steps to log in, such as entering a code texted to your phone or fingerprint to prove your identity. The device or app alerts the employee and asks for additional authentication to prevent others from accessing our accounts.  Adopting MFA is a simple way to protect your organization and can prevent a significant number of account compromise attacks. 

Three Steps to Incorporate MFA in Your Organization

MFA provides extra security on accounts by confirming our identities when logging in to our accounts with two or more verification methods, like entering a code texted to a phone or one generated by an authenticator app. MFA is a simple, easy way to greatly increase your business’s digital security. For added protection, educate your employees on the importance of MFA on their personal accounts as well.

1. Require multifactor authentication (MFA) wherever possible.

Work with your IT team to identify what software and systems you can require MFA for and create a plan to apply it throughout your company. Start with the privileged, administrative and remote access users who are most at risk. Focus on systems that are often compromised, like email, file storage and VPNs. 

2. Use the strongest level of MFA you can.

A code sent to your phone or email is the easiest, simplest form of MFA. Any MFA is better than no MFA, but there are more secure options, such as these:   

  • An authenticator app that generates a code that is valid for a short time that the user enters to access their account   
  • “Phishing-resistant” MFA, like a smart card or FIDO security key, is the gold standard of MFA protection. Learn more about phishing-resistant MFA and how it can protect your business on our blog, Phishing Resistant MFA is Key to Peace of Mind. 

    Talk with your IT team to decide what investments in cybersecurity are best for you and your employees.

3. Educate your employees.

Many people still do not know what MFA is or understand why it is important. Clearly communicate to your employees the ease and benefits of enabling MFA. In taking just one extra, quick step to log in, they are helping protect themselves, the company and its customers. Encourage your staff to use it on all personal accounts that offer it as well. 

What is “Phishing-Resistant MFA”? 

MFA bypass attacks are happening against well-funded companies with excellent security staff. It’s a technique and hack in which spammers are able to “bypass” traditional MFA options, like the 6-digit code. 

Phishing-resistant MFA is designed to prevent MFA bypass attacks by using a security key, which is a small external device that either connects to your computer or phone through a port, a biometric or via Bluetooth to enable secure login to websites and applications. Since only the key owner has physical access to their device, phishing scams don’t work. Phishing-resistant MFA can come in a few forms, like smartcards or FIDO security keys. 

The FIDO Alliance was formed by a group of companies that have been able to bake FIDO protocols into the operating systems, browsers, phones and tablets that you already own. And FIDO is supported on hundreds of online services. Organizations large and small are starting pilots and even completing their rollout to all staff.

Other Ways to Protect Your Business

Online criminals are always looking for easy targets. Businesses that don’t take basic precautions are at risk. Take the following steps to make it harder for malicious actors to access your data or trick an employee into allowing access to your systems.

decorative image of business owner

Secure Your Business

Protect your business, your employees and your customers with easy and effective safety habits and policies.

decorative figure: coworkers looking at a computer

Teach Employees to Avoid Phishing

Phishing happens when criminals trick employees into opening malicious attachments or sharing personal info. Implement training to teach employees how to identify and report suspicious activity. 

decorative image of business owner

Require Strong Passwords

This is one of the easiest ways to protect your business from criminals who might otherwise access your accounts by guessing or using automated hacking programs. 

decorative figure: cashier at the store

Update Business Software

Defects in software, routers, VPNs and apps can give criminals an opening to your accounts. Software manufacturers publish patches, but you must install them to be protected! Don’t use outdated software. Keep business software up to date. 

Related Content

SOW Cybersecurity Awareness Month 2024

October is Cybersecurity Awareness Month

Download the free Cybersecurity Awareness Month 2024 toolkit!

woman working on her computer

Weak Security Controls and Practices Routinely Exploited for Initial Access

Share this with your IT provider/staff and encourage best practices to protect your systems.

decorative figure: coworkers discussing work

Phishing Resistant MFA is Key to Peace of Mind

Require employees to use MFA and take it to the next level with FIDO security keys.

Social More than a Password Instagram Graphic

More than a Password

Multifactor authentication can make you, and your business, much safer than a password alone. Learn how!

Colleagues gathered around a computer

Cyber Guidance for Small Businesses

Ready for more? 

Get an action plan for your leadership team to implement—before a hacker attempts to steal your info or compromise accounts.

Cyber Guidance for Small Businesses

Return to Secure Our World

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback