The industry agrees that the era of the single-factor authentication, what you might know as a password, is long gone. It’s simply not secure enough anymore. According to the 2017 Verizon Data Breach Report, 81 percent of data breaches were a result of weak or stolen passwords.

As technology keeps advancing, many methods have shown to increase security tenfold, by making cyberthieves jump through more hoops and pull off more involved thefts in order to access information or assets. When evaluating options for increasing authentication and access security, CISOs and IT administrators must weigh several factors.

In order to decide what level of security their business requires for access management, CISOs should make sure they have a clear understanding of the various options. At quick glance, modern options fall under two basic categories: two- or multi-step authentication and multi-factor authentication.

Two-step authentication: Better, but not the strongest

Two- or multi-step authentication has become a prevalent way to add another level of security in recent years. Anyone who has been sent a pin code via SMS message on their mobile phone from an email provider, like Gmail or Yahoo!, is familiar with this method.

These “one-time passwords (OTP)” introduced as part of the login process are often confused with “multi-factor” authentication. If an attacker wanted to gain access to an account, they will just need to steal three pieces of information: account name, password and the passcode sent to the device (all one factor: “something you know”). All of this information can be obtained without him or her leaving their desk because it is information stored on the device, not the device itself that is the authentication key.

Multi-factor authentication: True security

Multi-factor authentication (MFA) requires a second - or third - and different method, not just another step. The reason most people confuse “multi-step” for “multi-factor” is because they perceive the use of a device as “something you have,” in addition to “something you know” and therefore meeting the criteria of multi-factor authentication. This is not the case. Despite appearing on a device, the person is still entering information they know, which can be stolen by a motivated hacker.

MFA requires a physical device, like a smart card or token (“something you have”), widely used by banks and healthcare organizations, or a form of biometric (“something you are”), like a retinal or fingerprint scan, in addition to the entering of a password or other known PIN. Since obtaining “something you have” or “something you are” would require a physical theft in addition to a cyber theft, this greatly increases the security of this method versus others, and diminishes the chances of stolen data and security breaches. It’s up to you to choose the right-factor authentication solution for your business.

Want to learn more? Make sure you’re ready for the death of the password and how to effectively implement an MFA solution right-sized for your business.