Every business should implement a mandatory multi-factor authentication policy

07 Oct Every business should implement a mandatory multi-factor authentication policy

Posted at 18:32h in 2025, Cyber Risk by
Anita Byer

Businesses wanting to make the most of Cybersecurity Awareness Month (October) should consider implementing a mandatory multi-factor authentication (MFA) policy for all employees. MFA ranks among the most effective measures that organizations can implement to protect sensitive systems, accounts, and data. In fact, research conducted by Microsoft found that MFA can block more than 99 percent of account compromise attacks.

Multi-factor authentication is a security process that requires more than one method of authentication from independent sources to verify a user’s identity. When MFA is enabled, a person cannot access a system or account without first providing at least two identity authentication factors (credentials). These credentials can be:

  • Something You Know (password, PIN, security question)
  • Something You Have (security token/app, verification via text, call, or email)
  • Something You Are (fingerprint, facial recognition, voice recognition)

 

The Cybersecurity & Infrastructure Security Agency (CISA) recommends taking the following steps to secure sensitive business data using multi-factor authentication.

Require MFA wherever possible. Businesses should coordinate with IT to activate MFA across all systems, including email, file and data storage, and remote access. Administrative accounts and sensitive employee accounts should be made a priority.

Use the strongest MFA option available. CISA cautions that not all methods of MFA are created equally. Although any method of MFA is better than nothing, some methods provide more protection than others. CISA recommends that businesses implement a policy requiring one or a combination of the following MFA verification methods, which are listed from most to least secure.

  • Security Key: A security key is a small hardware device, like a thumb drive or key fob, that provides an additional layer of security when logging into accounts. According to CISA, physical security keys are easy to use and provide the best protection against phishing attacks.
  • Authenticator App: Authenticator apps generate random, time-sensitive one-time codes or push notifications to help users verify their identity when logging into networks or accounts.
  • Biometrics: Biometric MFA is a security method that uses unique human characteristics, like fingerprints or facial features, to verify a user’s identity before granting access to a system or data. CISA notes that biometric security features are best when used with another method of MFA.
  • Text or Email Code: Despite its familiarity, systems that send a one-time code via text or email may be the least secure method of MFA (but still better than nothing). According to CISA, this method should only be used if stronger MFA options are not available.

 

Training. Employees must be trained to understand the organization’s commitment to security and their individual obligation to implement and use MFA when accessing systems and data.

MFA makes it difficult for hackers to access sensitive business accounts or data even with the password. If you have the option to enable MFA, do it now. Systems and platforms without MFA capabilities are way behind the curve and should probably be avoided. Businesses should also have Cyber Perils Insurance Coverage to protect against various cyber threats and liability exposures. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches.

Print page