by Rob Simmons, CISSP

January 20, 2023

Multi-factor authentication (MFA) is a powerful cybersecurity measure that should be implemented by organizations of all sizes and used whenever it is available. MFA provides better online security than just a username and password because it requires users to provide two or more forms of authentication when logging in. MFA is a critical defense against stolen passwords.

So why isn’t everyone using MFA, especially to protect online systems that contain sensitive and personal information? Despite its benefits, many companies, government agencies, and other organizations have not implemented MFA and many users have declined to use MFA when it is available to them.

Let’s first look at three reasons why some organizations haven’t yet implemented MFA:

• Cost – Investing in multi-factor authentication can be expensive, and the cost might be prohibitive for small businesses. The first cost is for purchasing the MFA solution, installing it, configuring it to work with access control systems, and training employees to use it correctly. Another cost is for technical support, especially during the initial activation of the MFA solution, to respond to any issues.
• Complexity – Implementing multi-factor authentication can be complex and time-consuming because it must interoperate correctly with existing access controls and security systems. To successfully integrate the MFA solution into the existing security infrastructure, security managers must understand their existing access control infrastructure and evaluate how MFA can strengthen authentication without causing any operational problems.
• User Unfamiliarity – Some users may be unfamiliar with MFA systems, making it difficult for them to use the system correctly and securely. But the biggest hindrance might be inconvenience; some users don’t want to enter additional codes every time they access an account or application.

Next, we’ll discuss three potential reasons why a person might not take advantage of MFA.

• No Perceived Urgency – Many websites offer MFA, but some people might not feel the need to use it if they haven’t experienced a loss or had their account hacked. People might not realize they are already being targeted by powerful tools used by malicious actors. Others might decide against using MFA because they think that using MFA will make it harder to access their accounts, even if they know how beneficial MFA can be.
• Security Misconceptions – Some people might think that using a “strong” password (based on complexity rules) is enough to protect their accounts, but a “strong” password only reduces the risk. Others ignore MFA because they don’t understand how effective it is.
• Complexity of Setup – Some people struggle with setting up MFA—or don’t try to set it up—because they are uncomfortable with (or frustrated by) technology. Activating MFA requires technical knowledge, such as knowing how to download, install, and configure an MFA app on a smartphone.

As security threats become more sophisticated, multi-factor authentication will become increasingly important for protecting our online accounts and sensitive data. It’s essential for cybersecurity professionals to understand the challenges so we can make MFA implementation and user setup processes easier, cheaper, and less intimidating, especially for those individuals who are still hesitant about utilizing this important security measure.

About Unissant

Unissant, Inc. (Unissant) is an award-winning Small Business Administration (SBA) certified Small Disadvantaged Business (SDB) with experience as a prime managing large, enterprise-wide, Information Technology (IT) solutions for customers across the Health, Federal Civilian, National Security and Financial Services markets. We are a prime contractor on various government vehicles such as CIO-SP3 SB, GSA Professional Services MAS. GSA IT MAS, Seaport NXG and CMS SPARC.

We focus on five capabilities for our customers: Data and Advanced Analytics, Agile and DevSecOps, IT Modernization, Cloud Services and Cyber Security. Our team members are always learning, staying on top of the latest technology, using trusted methods as well as out-of-the-box innovations to craft solutions for customers that address the current problem and can adapt to the challenges of the future.

Headquartered in Herndon, Virginia with a satellite office in San Antonio, Texas, Unissant is a CMMI ML 3 Dev & SVC, ISO 9001:2015, ISO 27001:2013 company. Unissant is also the recipient of various industry awards such as SECAF Government Project of the Year, the ACT-IAC Innovation Award and most recently the FedHealthIT Innovation Award.