How to protect your organization with multi-factor authentication

Compliance and Security

Vendr | Multi-factor authentication
Written by
Published on
December 4, 2017
Read Time

Vendr | TwitterFacebook iconVendr | LinkedIn

The single best thing you can do to improve your organization’s cloud security is to turn on and enforce multi-factor authentication on all products that support it, especially your primary email and collaboration platform (as you may know, we recommend G Suite). This greatly reduces the harm that an attacker can do with stolen credentials.

While this may already seem like a requirement today, our data shows that the average company only has 37% of their employees using multi-factor authentication on their main G Suite accounts. And this number gets even worse for smaller and early-stage companies, where just 22% of employees at companies with less than 50 people have multi-factor authentication enabled.

If you are one of the organizations lagging behind with multi-factor authentication, our hope is that this straightforward guide will help you implement this powerful and simple security measure.

Why multi-factor authentication works

For those of you who aren’t aware, multi-factor authentication (sometimes abbreviated MFA, and often called two-factor authentication or 2FA) relies on the idea of requiring multiple types of identification. This allows services to ensure that when someone attempts to log in, it is the actual user, and not someone who has stolen a username and password.

Since, as always, we want to employ people-first security (and not drive our users insane), most services just require two forms of authentication (hence 2FA being a common acronym). By requiring the user to provide two different types of evidence, 2FA makes credential theft and forgery significantly harder.

Here are the common types of authentication you will be asked to offer:

  • Knowledge: Something you (and hopefully only you) know. A good example is a password or passphrase. 
  • Possession: Something only you have access to. The most common is a smartphone. Many 2FA-enabled services will ask you to submit your phone number and receive one-time-use codes that serve as your second piece of identification.
  • Inherence: Something only you are. You’re probably most familiar with fingerprints, which are increasingly being used as an authentication factor via smartphones. Retina and other biometric factors are also beginning to become popular.

In most cases, a combination of knowledge and possession will be required of your users to sign in to a service that has implemented 2FA.

To put a finer point on it, the 2016 Verizon DBIR found that 63% of confirmed data breaches leveraged weak, default, or stolen passwords. With multi-factor authentication in place, stealing a password isn’t enough to allow criminals to break into your accounts.

Another benefit of implementing strong Google-based multi-factor authentication, should you go that route, is that many SaaS products are increasingly supporting Google Single Sign-on, which means that if you enforce MFA for Google, you’ll automatically get those benefits for all apps that use Google SSO.

How to implement multi-factor authentication with G Suite

Alright, let’s get down to brass tacks. Google has recently improved the process of enforcing MFA across your organization. Here’s a step-by-step walkthrough of the process:

  • First, set up two-step verification for your entire domain.
  • Next, turn on Two-Step Verification Enforcement for your entire domain.
  • When you do this, you’ll have to create a work-around for new employees and contractors: For new employees, you can create a “waiting period” by going to Under Security -> Advanced Security Settings under 2-Step Verification, you can set an enrollment period after a new account is created. For contractors, you’ll need to create an “Exception Group.” This requires quite a few steps, but it will allow members of that group to login without two-step verification.
  • Google’s default second factor is the Google app on mobile devices, which is a very user-friendly authentication step (a notification simply pops up on the smartphone to ask whether the user is approving this sign in). This is recommended over the more traditional SMS-based second factor, because it is both simpler and more secure.

People-first multi-factor authentication

As we’ve mentioned before, a security protocol is only valuable if it is simple and straightforward for your users to apply. Otherwise, they will try to get around it, and if they can’t, you’ll lose productivity and efficiency (and possibly have some rather unhappy users on your hands). Multi-factor authentication, when implemented intelligently, makes it simple for your users to prove they are who they say they are when they log in to business-critical services, protecting your organization without creating unnecessary hassle.

LinkedIn icon

Similar posts

Learn more about finding, buying and managing your SaaS stack with resources from our experts.

Built-in vs 3rd Party AI: How to Approach Adding Generative AI to Your Software Stack

David Porter

SaaS Buying
Compliance and Security
Built-in vs 3rd Party AI: How to Approach Adding Generative AI to Your Software Stack

The odds are extremely high that your team has already used the ChatGPT in their work. If that speeds up their work and reduces repetitive busy work, that’s a win for your team’s productivity. If that comes at the expense of data security, though, or opens up your company to potential copyright lawsuits, the benefits might not be worth the risk.

Read post
2023 business priorities: The critical link between new business, security, and compliance

Compliance and Security
SaaS Trends
2023 business priorities: The critical link between new business, security, and compliance

Learn how businesses prioritize data security, compliance, & growth in 2023. Discover top cybersecurity tools, compliance standards & strategies to build customer trust while protecting your business. Invest in robust security systems, adopt cloud & app security, and leverage data-driven decision-making.

Read post
Your practical guide to SaaS security

Compliance and Security
Your practical guide to SaaS security

In this guide, we’ll share best practices for building a realistic and usable SaaS security stack that’s focused on how modern organizations conduct business.

Read post