True Stories of Cyber Awareness: MFA (09/18/2025)
MFA or Multi-Factor Authentication is a measure of security of "what you know" and "what you have". "What you know" is your username and password. "What you have" is your phone, email or token hardware for another layer of security.
There are other security measures that can be implemented like location services or only allow sign-ins from a specific country. Specific conditions can be configured.
Without MFA, your username and password can be the only defense to gain access to your accounts. A strong password or passphrase is optimal. A passphrase might be something you say or do and makes it even harder to crack. "Uncle Fred is nuts" becomes Uncl3Fr#d1sNutz* is a simple example for a passphrase. It's a simple phrase while using a capital letter, number and special characters.
Complacency kills. This is true on many levels. The same is true for cybersecurity. When you say "I thought MFA was enabled" reveals more to me about you than you realize. You don't know your environment because you never did an audit every few months. Security is never just set it and forget it.
I see this often where a security professional tells a story of how they lost their accounts and gained them back like the process is something to be proud of. "Here's how I did it!"
Nowadays we have SSO or Single Sign On which I continue to find myself on the fence. You sign in once with MFA and then you have access to your accounts moving forward without sign in fatigue. This sounds great but there are security issues present using this method too.
I worked with an engineer who claimed SSO was the best thing ever. He argued that we should have it set for everything including access to HR software. HR didn't agree. I didn't either. There are many benefits for SSO, but other security layers need to be added like condition access, logging, monitoring, and alerts.
Never trust someone who claims there is no risk when referring to SSO. There is always risk and methods of compromise. There is always a chance of someone or something breaking everything you have.
Always do an audit every few months as what you thought might not be true.
