From digital banking to streaming services, the average person in 2024 is keeping up with more than 168 passwords. But these passwords aren’t necessarily secure, which can lead to serious issues like data theft or financial loss. That’s where multi-factor authentication (MFA) comes in.
MFA makes it more difficult for fraudsters to access accounts—even if they have usernames and passwords—by adding an extra layer of security. Read on to learn more about MFA and how it improves security and compliance for financial institutions.
Want to learn more about strategies to strengthen your institution’s approach to cybersecurity? Check out our white paper.
What is MFA?
MFA is a security measure that requires an additional piece of information to authenticate or verify a user when logging into an account. Authentication methods include a one-time code or PIN sent via text message or email, biometric data like a fingerprint or a password authentication application like those offered by Google or Microsoft.
How Does MFA Work?
If someone were to obtain an active username or password for an account, including a business or bank account, they could log in if MFA were not enabled. With MFA, the user is prompted for another piece of information.
While MFA does add an additional step to the login process, the protection is worth it since it prevents account compromise. MFA typically falls into three categories:
- Something you know like a password or answer to a security question
- Something you have like a trusted device or token
- Something you are like biometric data (e.g., face or fingerprint)
Types of MFA
Multiple methods of MFA exist to enhance security, and each has its advantages and drawbacks. Here are a few common forms:
- Push Authentication: To maximize security, push authentication asks users to enter a verification code from the access device into an app during the push login process.
- Email Codes: In this method, the user receives an email with a code to input to authenticate. While emails are convenient, this method has associated risks if the email account is compromised.
- SMS Messages: Similar to email MFA, this method involves receiving an SMS text message with a code for authentication.
- Biometric authentication: Facial recognition or fingerprints are two common biometric methods used to complete the process.
- Security questions: MFA can include answering a security question as part of the authentication process. Knowledge-based questions do pose a security risk, especially since some questions can easily be found with internet research (e.g., mother’s maiden name or street name).
- Risk-based authentication: This method considers a user’s behavior, such as IP address, location or device, to authenticate.
- Time-based OTP: For this form of MFA, users receive a temporary one-time password that can only be used for a specific window of time. These can come in the form of emails, phone calls or text messages.
Why Should Financial Institutions Use MFA?
Financial institutions face increasing cybersecurity threats, with employees often being targeted as entry points for malicious actors. MFA also helps banks and credit unions in these areas:
- Phishing and Credential Theft: Employees at banks and credit unions are frequently targeted by sophisticated phishing attacks, leading to credential theft and unauthorized access to sensitive systems. Since the increasing use of ChatGPT in 2022, it’s unfortunately become even easier for cyber criminals to execute phishing attacks.
- Regulatory Compliance: Financial institutions must comply with stringent regulatory requirements to protect customer data, and MFA is a critical component of meeting these compliance standards.
- Remote Work Security: The shift to remote work has expanded the attack surface to include any systems or applications housed in the cloud, making it imperative to implement robust security measures like MFA to ensure secure access from diverse locations and devices. Institution employees can now access bank systems and applications when in the branch or working remotely, so having controls in place to protect your network is critical.
- Insider Threats: Even trusted employees can pose security risks, whether intentionally or through negligence. MFA adds an additional layer of protection against potential insider threats by verifying user identities.
What Accounts Should Use MFA?
Due to the amount of sensitive data they hold, financial institutions should require employees to use MFA to access their systems and network. Institutions should also encourage customers/members to enable this control on their financial accounts, email accounts and even social media.
Verizon’s 2023 Data Breach Investigations Report revealed that 61% of all breaches exploited user credentials—and 50% of these breaches were caused by stolen credentials. MFA makes it more difficult for fraudsters to access accounts, which is especially important as it becomes easier for them to access credentials as a result of breaches or on the dark web.
To compound this problem, people often knowingly or unknowingly use weak or compromised passwords for convenience. In fact, it’s estimated nearly 64% of consumers use a password exposed in one breach for other accounts.
Further, a 2022 survey from LastPass reported that 62% of respondents always or mostly use the same password or a variation. Another survey revealed less than half of Americans feel confident that their passwords are secure from compromise. This shows how vulnerable credentials are and why enabling MFA to strengthen account security is critical.
How Effective is MFA?
MFA helps secure users’ accounts and is particularly effective in preventing M365 account compromise, which is usually the result of declining MFA and overusing credentials on multiple sites, including social media and email. Microsoft claims that using MFA blocks 99.9% of automated account hacks.
Consider this example: Diane at LG Community Bank has MFA enabled on her M365 account. Her password—which she has used for other online accounts—was obtained by a bad actor on the dark web. A quick online search reveals her employer and email address, allowing the bad actor to attempt to login to her M365 account after finding a vulnerability in their system. Because she has MFA enabled, she received a prompt from her authenticator app to provide the code and complete the login. Without access to the second authentication, the bad actor could not gain access and the bank’s IT department was notified of the denied login attempt.
Is MFA Compliant with Financial Industry Regulations?
Depending on your managed services provider, MFA methods can help institutions meet stringent regulatory requirements in the financial sector, including FFIEC guidelines, PCI-DSS, GDPR and others. 90% of compliance professionals agree that GDPR compliance is challenging to achieve, making MFA more valuable.
Some options even provide institutions with detailed logging and reporting features to support compliance audits. Systems may also create customized security policies that align with an institution’s specific needs, enabling risk-based authentication and adaptive security measures for different roles and locations.
Does MFA Affect the User Experience?
There’s no denying it—MFA adds an extra step to the login process. But the security it provides is well worth it. MFA can be user-friendly and minimally disruptive depending on the method used. Since a variety of authentication methods exist, including push notifications, biometrics and hardware tokens, users can choose the method that works best for them. The process is often quick and efficient, ensuring that security does not come at the expense of productivity.
Strengthening Security for Your Institution
By enabling MFA, you can provide consistent protection across all users, systems and locations to significantly reduce the risk of data breaches and ensure the security of banking operations.
If you want to learn more about strengthening your institution’s cybersecurity posture, read our white paper.
Read our white paper
Sean Martin, Director of Product Strategy for Managed Services
Sean Martin has worked to establish cybersecurity programs for financial institutions for over 15 years. Previously, Sean has served as Network and Security Operations Manager, Product Manager, and various engineering roles since 2001. In his role, Sean identifies and implements solutions designed to maximize security and profitability for financial institutions. Sean speaks regularly on a variety of financial technology issues, ranging from managed services to IT security best practices.