
Require Multifactor Authentication
Make your business significantly safer from online threats.
Multifactor Authentication Provides Extra Security
Your company’s intellectual property, employee personal information, customer information and more are prime targets for criminal activity. Passwords alone are not always effective at protecting your organization’s data. In fact, weak or stolen passwords are common entry points for online criminals.
Multifactor authentication requires an extra step to login, such as entering a code texted to your phone to prove your identity. Requiring MFA is a simple way to protect your organization and can prevent a significant number of account compromise attacks.
Three Steps to Incorporate MFA in Your Organization
MFA provides extra security on accounts by confirming our identities when logging in to our accounts with a second verification method, like entering a code texted to a phone or one generated by an authenticator app. MFA is a simple, easy way to greatly increase your business’s digital security. For added protection, educate your employees on the importance of MFA for their personal accounts as well.
1. Require multifactor authentication (MFA) wherever possible.
Work with your IT team to identify what software and systems you can require MFA for and create a plan to apply it throughout your company. Start with the privileged, administrative and remote access users who are most at risk. Focus on systems that are often compromised, like email, file storage and VPNs.
2. Use the strongest level of MFA you can.
A code sent to your phone or email is the easiest, simplest form of MFA. Any MFA is better than no MFA, but there are more secure options, such as these:
- An authenticator app that generates a code that is valid for a short time that the user enters to access their account
“Phishing-resistant” MFA, like a smart card or FIDO security key, is the gold standard of MFA protection. Learn more about phishing-resistant MFA and how it can protect your business on our blog, Phishing Resistant MFA is Key to Peace of Mind.
Look at your budget and talk with your IT team to decide what is best for you and your employees.
3. Educate your employees.
Many people still do not know what MFA is or understand why it is important. Clearly communicate to your employees the ease and benefits of enabling MFA. In taking just one extra, quick step to login, they are helping protect themselves, the company and its customers. Encourage your staff to use it on all personal accounts that offer it as well.
What is “Phishing-Resistant MFA”?
MFA bypass attacks are happening against well-funded companies with excellent security staff. It’s a technique and hack in which spammers are able to “bypass” traditional MFA options, like the 6-digit code.
Phishing-resistant MFA is designed to prevent MFA bypass attacks by using a security key, which is a small external device that either connects to your computer or phone through a port, a biometric or via Bluetooth to enable secure login to websites and applications. Since only the key owner has physical access to their device, phishing scams don’t work. Phishing-resistant MFA can come in a few forms, like smartcards or FIDO security keys.
The FIDO Alliance was formed by a group of companies that have been able to bake FIDO protocols into the operating systems, browsers, phones and tablets that you already own. And FIDO is supported on dozens of online services. Organizations large and small are starting pilots and even completing their rollout to all staff.
Other Ways to Protect Your Business
Online criminals are always looking for easy targets. Businesses that don’t take basic precautions are at risk. Take the following steps to make it harder for malicious actors to access your data or trick an employee into allowing access to your systems.

Secure Your Business
Protect your business, your employees and your customers with easy and effective safety habits and policies.

Teach Employees to Avoid Phishing
Harmful links or attachments could provide unauthorized access to information or infect your network with malicious code. This can result in data being held for ransom.

Require Strong Passwords
This is one of the easiest ways to protect your business from criminals who might otherwise access your accounts by guessing or automating hacking programs.

Update Business Software
Flaws give criminals an opening. Programmers publish patches, but you must install them to get their protection. Smaller businesses are often running outdated software because they don’t have full-time IT staff keeping up.
Related Content

October is Cybersecurity Awareness Month
Learn how to get involved and become a Cybersecurity Awareness Month partner!

Weak Security Controls and Practices Routinely Exploited for Initial Access
Share this with your IT provider/staff and encourage best practices to protect your systems.

Phishing Resistant MFA is Key to Peace of Mind
Require employees to use MFA and take it to the next level with FIDO security keys.

More than a Password
Multifactor authentication can make you, and your business, much safer than a password alone. Learn how!

Small and Medium Businesses
Ready for more?
CISA offers free information and tools to help small businesses protect their people, customers, intellectual property and other sensitive data.