Getting Real About MFA
Undeniably a fantastic security strategy, multi-factor authentication has its limitations. But is that something you should share with clients?
In a perfect world…
There is no cybercrime, donuts are good for you, and your MSP doesn’t exist because technology takes care of itself.
In a less-perfect-but-still-pretty-good world…
You help one of your clients, Dorothy’s Donuts, set up multi-factor authentication (MFA) to protect the company’s email account. One day, a cybercriminal decides to mess with Dorothy and uses advanced password-cracking methods to figure out her email password. But when the troublemaker tries to log in, it’s MFA to the rescue. Crisis averted!
Meanwhile, in the real world…
Dorothy gets an email alerting her of suspicious activity on her business email account. She’s prompted to provide her email password plus a one-time passcode sent to her cell phone. The email looks legit, so Dorothy complies. She feels good entering the one-time passcode. This will PROVE it’s me, she thinks.
And just like that, poor Dorothy’s handed over the keys to her email to the threat actor, whose plan is to send emails out to Dorothy’s customers asking for donations ‘during a difficult time.’
The Moral of the Story?
Train and educate your clients!
Cybersecurity is about people, so make sure you’re taking care of yours. That means sharing information, conducting training sessions, and being honest.
Don’t tell your clients that MFA will solve all their security problems or throw out some statistic about how it stops 99% of cyberattacks (we’ll talk about this stat in a second).
So what should you tell them about MFA? If you ask us, the truth is always a good place to start.
And the truth is, MFA is an essential security strategy. The concept behind it is simple and powerful: it’s a lot harder for hackers to obtain two or more ‘proofs’ of your identity than just one (usually just your password).
Does MFA make things slightly more inconvenient on end users?
Yes. Logging into an MFA-protected account takes longer than logging into one without MFA protection.
Is MFA still worth having, despite the slight inconvenience it creates for end users?
Absolutely. The benefit of enhanced security provided by MFA far outweighs the minor inconvenience it adds. Remind your clients that while it’s a lot harder for hackers to obtain two or more ‘proofs’ of your identity than just one (usually your password), it’s only a little bit harder for you. And that’s how it should be; security should involve a fair tradeoff between safety and convenience, and MFA hits the sweet spot – it makes things a lot safer and only marginally less convenient.
So by all means, sing MFA’s praises – just don’t tell your clients that it repels 99% of all cyberattacks. The origin of this bogus stat seems to be two similar-sounding, albeit not quite as impressive statistics.
The problem with the 99% claim isn’t just that it’s a misrepresentation of actual statistics; another issue is that it characterizes MFA as some sort of “super tool” – “the answer to all your security problems…or 99% of them at least.”
And this is precisely how you want your clients not thinking about cybersecurity. If they assume one tool or method will do all the work for them, they may not exercise proper vigilance or consistently employ best practices, creating vulnerabilities that experienced threat actors can easily exploit.
The lessons here have all been pretty simple. Tell your clients the truth – about MFA, and everything else, too. They can handle it. They can even handle the hard truths about MFA, like…
MFA isn’t infallible
It’s highly effective, but not a complete (or anywhere near complete) defense against cybercrime. But don’t tell your clients just this; also highlight specific ways that threat actors can bypass MFA:
- Prompt Bombing
- Social Engineering, etc.
MFA creates inconvenience
While some MFA solutions are more user-friendly than others (we’re particularly proud of our ID 20/20 software for offering a seamless user verification process), there’s no such thing as an MFA solution that creates zero inconvenience. It’s an extra step by definition – no reason to pretend it isn’t.
MFA is necessary
Perhaps the hardest and most important truth of them all. MFA won’t solve all your security problems, but you still need it. If you’re looking for a clear analogy to help illustrate this point, talk about seatbelts: people need to wear seatbelts – or really should, at least – but that doesn’t mean seatbelts offer complete protection in traffic, or that you don’t need to do other things to stay safe on the road, like pay attention, follow traffic rules, go the speed limit, etc. Using MFA is like wearing a seatbelt.
In some case, MFA is literally necessary, as it’s now common for cyber insurance companies to require MFA for cyber coverage. If this is what it takes to get your clients using MFA, so be it.
Closing Thought – Relationships Matter!
Let’s say your client gets hit with a prompt bombing attack. All night long, their cell phone buzzes and lights up with notifications: one authentication request after another. At 5 am, exhausted and annoyed, they…
Well, that depends. Does your MSP have strong relationships with clients? Do your clients like you? Do they feel comfortable picking up the phone and calling your help desk – even at 5 am?
When people say cybersecurity is about people, this is what they mean – this exact moment when your client encounters something strange and suspicious. What do they do?
If they have a strong relationship with your MSP, if they’re comfortable calling you at the drop of a hat, if they like and trust you, then…
They will call you about it first, before taking any other action.
This is just one example that shows the importance of building strong relationships with your clients – one of many. When you establish genuine relationships with clients, it not only makes things easier (like sharing hard truths about MFA); it also enhances overall security by fostering transparency and teamwork.
Communication, collaboration, cooperation. Even with the latest AI-fueled innovations, these remain the most powerful security tools at our disposal.
But how do you build strong MSP-client relationships?
Lots of ways – but this blog post has focused on a particularly important aspect of building strong relationships: telling the truth! It’s not always easy, but if you’re consistently transparent with clients, they will come to appreciate your honesty and trust you. And when that happens, they will be much quicker to accept a hard truth from you than an ‘easy lie’ from the MSP down the street.
So keep it real, stay safe, and stay tuned for more security-focused content as we celebrate #CybersecurityAwarenessMonth here at The 20.
Learn more about The 20 MSP Group and how we help small and medium-sized MSPs find success in our fiercely competitive industry.