Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutives
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
    Contact Us
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
  2. Secure Our World
Share:
Secure Our World Hero Image

Require Multifactor Authentication

Make your business significantly safer from online threats.

Multifactor Authentication Provides Extra Security

Your company’s intellectual property, employee personal information, customer information and more are prime targets for criminal activity. Passwords alone are not always effective at protecting your organization’s data. In fact, weak or stolen passwords are common entry points for online criminals.

Multifactor authentication requires an extra step to login, such as entering a code texted to your phone to prove your identity. Requiring MFA is a simple way to protect your organization and can prevent a significant number of account compromise attacks.

Three Steps to Incorporate MFA in Your Organization

MFA provides extra security on accounts by confirming our identities when logging in to our accounts with a second verification method, like entering a code texted to a phone or one generated by an authenticator app. MFA is a simple, easy way to greatly increase your business’s digital security. For added protection, educate your employees on the importance of MFA for their personal accounts as well.

1. Require multifactor authentication (MFA) wherever possible.

Work with your IT team to identify what software and systems you can require MFA for and create a plan to apply it throughout your company. Start with the privileged, administrative and remote access users who are most at risk. Focus on systems that are often compromised, like email, file storage and VPNs.

2. Use the strongest level of MFA you can.

A code sent to your phone or email is the easiest, simplest form of MFA. Any MFA is better than no MFA, but there are more secure options, such as these: 

  • An authenticator app that generates a code that is valid for a short time that the user enters to access their account 
  • “Phishing-resistant” MFA, like a smart card or FIDO security key, is the gold standard of MFA protection. Learn more about phishing-resistant MFA and how it can protect your business on our blog, Phishing Resistant MFA is Key to Peace of Mind. 

Look at your budget and talk with your IT team to decide what is best for you and your employees.

3. Educate your employees.

Many people still do not know what MFA is or understand why it is important. Clearly communicate to your employees the ease and benefits of enabling MFA. In taking just one extra, quick step to login, they are helping protect themselves, the company and its customers. Encourage your staff to use it on all personal accounts that offer it as well.

What is “Phishing-Resistant MFA”? 

MFA bypass attacks are happening against well-funded companies with excellent security staff. It’s a technique and hack in which spammers are able to “bypass” traditional MFA options, like the 6-digit code. 

Phishing-resistant MFA is designed to prevent MFA bypass attacks by using a security key, which is a small external device that either connects to your computer or phone through a port, a biometric or via Bluetooth to enable secure login to websites and applications. Since only the key owner has physical access to their device, phishing scams don’t work. Phishing-resistant MFA can come in a few forms, like smartcards or FIDO security keys. 

The FIDO Alliance was formed by a group of companies that have been able to bake FIDO protocols into the operating systems, browsers, phones and tablets that you already own. And FIDO is supported on dozens of online services. Organizations large and small are starting pilots and even completing their rollout to all staff. 

Other Ways to Protect Your Business

Online criminals are always looking for easy targets. Businesses that don’t take basic precautions are at risk. Take the following steps to make it harder for malicious actors to access your data or trick an employee into allowing access to your systems.

decorative image of business owner

Secure Your Business

Protect your business, your employees and your customers with easy and effective safety habits and policies.

decorative figure: coworkers looking at a computer

Teach Employees to Avoid Phishing

Harmful links or attachments could provide unauthorized access to information or infect your network with malicious code. This can result in data being held for ransom.

decorative image of business owner

Require Strong Passwords

This is one of the easiest ways to protect your business from criminals who might otherwise access your accounts by guessing or automating hacking programs.

decorative figure: cashier at the store

Update Business Software

Flaws give criminals an opening. Programmers publish patches, but you must install them to get their protection. Smaller businesses are often running outdated software because they don’t have full-time IT staff keeping up.

Related Content

Secure Our World Cybersecurity Awareness Month 2023

October is Cybersecurity Awareness Month

Learn how to get involved and become a Cybersecurity Awareness Month partner!

woman working on her computer

Weak Security Controls and Practices Routinely Exploited for Initial Access

Share this with your IT provider/staff and encourage best practices to protect your systems.

decorative figure: coworkers discussing work

Phishing Resistant MFA is Key to Peace of Mind

Require employees to use MFA and take it to the next level with FIDO security keys.

Social More than a Password Instagram Graphic

More than a Password

Multifactor authentication can make you, and your business, much safer than a password alone. Learn how!

SOW Small and Medium Businesses

Small and Medium Businesses

Ready for more?

CISA offers free information and tools to help small businesses protect their people, customers, intellectual property and other sensitive data.

More Information for Small and Medium Businesses

Return to Secure Our World

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback