How to protect your organization with multi-factor authentication
Compliance and Security
The single best thing you can do to improve your organization’s cloud security is to turn on and enforce multi-factor authentication on all products that support it, especially your primary email and collaboration platform (as you may know, we recommend G Suite). This greatly reduces the harm that an attacker can do with stolen credentials.
While this may already seem like a requirement today, our data shows that the average company only has 37% of their employees using multi-factor authentication on their main G Suite accounts. And this number gets even worse for smaller and early-stage companies, where just 22% of employees at companies with less than 50 people have multi-factor authentication enabled.
If you are one of the organizations lagging behind with multi-factor authentication, our hope is that this straightforward guide will help you implement this powerful and simple security measure.
Why multi-factor authentication works
For those of you who aren’t aware, multi-factor authentication (sometimes abbreviated MFA, and often called two-factor authentication or 2FA) relies on the idea of requiring multiple types of identification. This allows services to ensure that when someone attempts to log in, it is the actual user, and not someone who has stolen a username and password.
Since, as always, we want to employ people-first security (and not drive our users insane), most services just require two forms of authentication (hence 2FA being a common acronym). By requiring the user to provide two different types of evidence, 2FA makes credential theft and forgery significantly harder.
Here are the common types of authentication you will be asked to offer:
- Knowledge: Something you (and hopefully only you) know. A good example is a password or passphrase.
- Possession: Something only you have access to. The most common is a smartphone. Many 2FA-enabled services will ask you to submit your phone number and receive one-time-use codes that serve as your second piece of identification.
- Inherence: Something only you are. You’re probably most familiar with fingerprints, which are increasingly being used as an authentication factor via smartphones. Retina and other biometric factors are also beginning to become popular.
In most cases, a combination of knowledge and possession will be required of your users to sign in to a service that has implemented 2FA.
To put a finer point on it, the 2016 Verizon DBIR found that 63% of confirmed data breaches leveraged weak, default, or stolen passwords. With multi-factor authentication in place, stealing a password isn’t enough to allow criminals to break into your accounts.
Another benefit of implementing strong Google-based multi-factor authentication, should you go that route, is that many SaaS products are increasingly supporting Google Single Sign-on, which means that if you enforce MFA for Google, you’ll automatically get those benefits for all apps that use Google SSO.
How to implement multi-factor authentication with G Suite
Alright, let’s get down to brass tacks. Google has recently improved the process of enforcing MFA across your organization. Here’s a step-by-step walkthrough of the process:
- First, set up two-step verification for your entire domain.
- Next, turn on Two-Step Verification Enforcement for your entire domain.
- When you do this, you’ll have to create a work-around for new employees and contractors: For new employees, you can create a “waiting period” by going to Under Security -> Advanced Security Settings under 2-Step Verification, you can set an enrollment period after a new account is created. For contractors, you’ll need to create an “Exception Group.” This requires quite a few steps, but it will allow members of that group to login without two-step verification.
- Google’s default second factor is the Google app on mobile devices, which is a very user-friendly authentication step (a notification simply pops up on the smartphone to ask whether the user is approving this sign in). This is recommended over the more traditional SMS-based second factor, because it is both simpler and more secure.
People-first multi-factor authentication
As we’ve mentioned before, a security protocol is only valuable if it is simple and straightforward for your users to apply. Otherwise, they will try to get around it, and if they can’t, you’ll lose productivity and efficiency (and possibly have some rather unhappy users on your hands). Multi-factor authentication, when implemented intelligently, makes it simple for your users to prove they are who they say they are when they log in to business-critical services, protecting your organization without creating unnecessary hassle.