The reality is that, if you don’t have Multi Factor Authentication (MFA) in place, and your employees fall for phishing scams or share passwords, well, your company is widely open to attacks. Compromised credentials represent one of the biggest security threat in today’s world. The reason is simple, compromised credentials might be stolen but they are valid and legitimate once in the hands of an attacker. This means that from the moment the attacker puts his hands on a set of corporate credentials, it becomes very difficult to detect it as all of your security tools think that the person logging in to the system is exactly who they say they are. Despite knowing the huge risk, many organizations are not going the right way about password security. A couple of years ago, we conducted a research that showed only 38% of organizations were using MFA. Unfortunately, most recent surveys show that things haven’t changed since then. Four Misconceptions that Explain the Reluctance in Adopting MFA: Only large enterprises can benefit from MFA Most organizations assume that MFA is only for big companies but they’re wrong. The size of the company doesn’t matter, all businesses should be using MFA as an important step in their security strategy. The data that need to be protected is as sensitive and the disruption is as serious no matter the size. Using MFA is not necessarily complicated, costly or disruptive. Only privileged users should be protected with MFA Here again, this is wrong. In many organizations, most employees are considered ‘non-privileged’ as they don’t have access to critical data. For those employees, they rely on local Windows credentials as using MFA seems too much. Well, the reality is that those users still have access to a lot of data that might be harmful to the company. You don’t believe me? Let’s take an example: A nurse selling a celebrity patient’s data to a newspaper. This example illustrates well the value of the data and the damage that can be done when used in an undesirable way. Apart from that, hackers don’t usually start with a privileged account. In general, they start with an easy target to get into the system and then they move laterally until they find valuable data. Using MFA isn’t the perfect solution! That’s true, but like using any other solution, it’s never 100% perfect. But MFA is pretty close. Recently, the FBI published a warning about attacks where cyber criminals were able to bypass MFA. Experts agree that this kind of attack requires high costs and effort. In the majority of cases, hackers who encounter MFA will prefer to move on to an easier target. To avoid certain vulnerabilities, you can choose MFA authenticators that do not rely on SMS. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines). Despite its warning, the FBI still believes that multifactor authentication is effective and constitutes one of the easiest steps to improve an organization’s security. Using MFA will disrupt my employees’ productivity It doesn’t have to. When implementing any new technology, there is always the challenge to least impede employee’s productivity. This is the reason why flexibility is needed for any MFA solution . You might not want to prompt the users for MFA each time they log in. You can use contextual controls to further verify all users’ claimed identity but not impede on employee productivity. Contextual factors can include location, time, machine, session type and number of simultaneous sessions. Everyone can get his credentials compromised – whether you are a privileged or non-privileged user. All businesses of all sizes must use MFA as a key step in their security strategy. It’s one of the easiest ways to keep accounts protected. Discover how UserLock makes it easy to enable MFA and context access management on a Windows Active Directory environment. About the Author François Amigorena is the founder and CEO of IS Decisions , and an expert commentator on cybersecurity issues. IS Decisions is a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. The company offers solutions for user-access control, file auditing, server and desktop reporting, and remote installations. Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies; and save time and money for the IT department.