Person logging into a computer with username and password

A SMB Quick Guide: Multi-Factor Authentication

If you’ve purchased or renewed cyber insurance lately, especially if you own a small business (SMB) the chance is good that you’ve been asked about multi-factor authentication (MFA). As cyber-attacks evolve in scope and complexity, the IT industry continues to adapt security stack layers, including multi-factor authentication. This type of security is an essential investment for VPN access, email, and data security.


Here’s a quick guide to help you navigate the current world of authentication.

First, a general definition.

MFA is standard in almost every corporate environment. You are probably most familiar with it as part of your banking interactions. Online banking on your mobile app requires a “challenge email” or cell phone authenticator. Your ATM requires your debit card and a PIN number. These are both examples of two-factor authentication. Multi-factor and two-factor authentication are often used interchangeably; however, two-factor authentication demands only two identifying factors. MFA requires two or more pieces of information.


Authentication systems may use knowledge-based questions, such as personal security questions (what was your first pet’s name), possession-based information, such as a one-time passcode sent to a smartphone, or inherence-based models based upon facial recognition, voice or retina and iris scanning.


The most common type of authentication is the onetime passcode (OTP) model. A multidigit code is received via email, text, or mobile app. A new code is issued each time the user attempts to enter the resource. Multi-factor may employ a username and password as the first identifying factor and then requires a passcode.

Secure Your VPN

Cloud computing and remote work demands MFA. Criminals use credential phishing (stealing usernames and passwords by pretending to be a known individual or entity in email) and spear phishing/social engineering to trick legitimate users into sharing sensitive information that may quickly enable access to a network via VPN.


MFA provides a greater degree of identity assurance before allowing access to your critical systems and data. MFA for VPN is the best way to add an extra layer of protection to VPN logins to prevent hackers from accessing your account even if they know your username and password. Your IT services provider or internal IT team can ensure that MFA is utilized.

Protect Email in Office 365 and Gmail

Email applications like Office 365 and Gmail should be set up with MFA to protect emails and files in the cloud. Microsoft reports that users who enable MFA block 99.9% of automated attacks, even if a hacker has the user’s current password. Google reports similar statistics for their Gmail application. This type of protection is an added feature that must be set up and activated to insure it is protecting your application.

The Future of MFA

The security industry is leaning heavily into artificial intelligence to develop stronger forms of protection. These may include:


  • Location-Based Authentication – Examines the IP address if the location doesn’t match user data.
  • Adaptive Authentication/Risk-Based Authentication – Considers user context and pattern behavior to assess risk and require additional forms of identity verification.


All businesses must create more layers of security to protect themselves against IT network damages. Small businesses are targeted the most by criminals hoping to gain easy access to a treasure trove of data. Investing in an effective, managed MFA strategy is the best defense again cybercrime, saving your small business time, and importantly, money.