By Need

Optimize IT Environments for Cost, Efficiency, and Security

Managed solutions that lower TCO while increasing your ROI

Security Programs

Enterprise wide security programs & zero trust

Hybrid Cloud Environments

Secure, scalable, and optimized

Modern Networks

The crucial foundation of business

Anytime Secure Access

Combining productivity and security

Innovation Velocity

Improved developer experiences

Managed Carrier Services

High performance and cost effective

Staff Augmentation

Strategic IT talent on-demand

View All Needs

By Industry

Finance & Banking

Stay ahead of today’s rapid change

Healthcare & Life Sciences

Improve lives with modern solutions

Business Services

Create efficiencies for sustained success

Public Sector

Serve the community with technology

Manufacturing

Unlock efficiencies for Industry 4.0

Retail

Get closer to customers

View All Industries

By Function

IT & Operations

Support your strategic vision

Engineering & Development

Enhance your developer experience

Finance & Procurement

Optimize for cost and security

Product Management

Make your vision a reality

HR

Focus on your people

View All Functional Areas
Managed Services

Remove the complexity of daily IT maintenance and focus on business growth

Cybersecurity & Risk Management

Secure business processes without sacrificing employee productivity

Cloud

Accelerate digital transformation while optimizing for cost

Carrier Services

Simplify and centralize complex business communication systems

Modern Workspace

Empower employees to work from anywhere on any device

Networking

Connect traditional environments to new secure cloud possibilities

Datacenter Modernization

Adapt to a hyperscaled cloud-first IT environment

Resource Management

Find the talent to drive your critical initiatives forward with confidence

View All Services

Learn

Knowledge Center
Events & Webinars
Blog
News

FEatured Resource

Modern Workspace 7 min read

CIO Fireside Chat Recap: Leveraging Generative AI in the Microsoft Cloud

By Jeff Cratty
Partners

Company

About Blue Mantis
News
Leadership
Client Experiences
Awards
Philanthropy
Careers
Locations

FEatured News

Oct16

Blue Mantis and HYCU® Partner to Deliver Enhanced SaaS Application Management, Protection and Compliance

Read More
Let’s Meet
All Blog Posts
Cybersecurity & Risk Management

Why MFA Is Must-have Cybersecurity for Business

By Jay Martin May 22, 2024

We live in an always-connected, multi-device, and multi-platform world. You probably use a MacBook or PC laptop for work. When you’re at the airport or watching your kid at a school event, you’re periodically checking work emails from your smartphone. And you likely have documents and emails stored in the cloud so that your work is accessible across all these devices and platforms.  

However, using standard “enter your username and password” login credentials for any cloud-based resources is a security nightmare for IT leaders. Literally billions of usernames and passwords have been stolen, were posted online, and are exploited by criminals every day. Many users still reuse their corporate usernames (typically their work email address) and passwords—or at least a variation of that password—on personal websites.  

In the recent past, we’ve seen hackers steal millions of user credentials from cloud-first companies like Uber, Twitter, Marriott, Cloudflare, and Twilio. These credential harvesting campaigns are just the beginning for criminal hackers. Even if criminals don’t have the latest password for the username, they’ll follow up with a brute force attack to guess weak passwords, get into the compromised cloud account, and then move laterally inside the corporate network. That’s why every IT department should include a multifactor authentication (MFA) process to secure their employees’ user accounts across all devices and platforms.

What Is Multifactor Authentication (MFA)?

Multifactor authentication (MFA) is a security method that requires users to provide two or more pieces of evidence to verify their identity before accessing a system or service. MFA can prevent unauthorized access to sensitive data and resources by adding an extra layer of protection beyond passwords. Any login with MFA requires a user to present a combination of two or more unique credentials to verify their identity. So, even if one user credential becomes compromised—for example, the user’s password is known or guessed by brute force—the criminal won’t have the second authentication requirement and is blocked from completing the login.

The idea of multifactor authentication is not new. In the ancient times before Netflix (you see this written on wiki pages as “1996 B.N.”), people watched movies in their homes on physical media rented from retail stores like Blockbuster. The movies on physical media were a costly capital expense for the retailer, so the retailer generated profit from many customers paying a few dollars to rent the physical media for a day or two. To protect the retailer against a customer from not returning that physical media, the rental store had customers provide two or more forms of identification to authenticate their accounts.

Exterior of last remaining Blockbuster Video location in Bend, OR, Coasterlover, 2018
Exterior of last remaining Blockbuster Video location in Bend, OR (2018)

Fast forward to our modern cloud-first world where an online account with multifactor authentication is more secure than just relying on an ID and password. That’s because adding a second or third factor compensates for the weakness of that single authentication factor.

More Factors = More Security for Users

It is important to allow more than just one authentication factor for your users. This is so everyone in your organization has access to an alternate MFA option in case their primary option is unavailable. Blue Mantis deploys, configures, and manages multifactor authentication for customers. Two-factor authentication (2FA) is the most common deployment and combines what you know (your password) with what you have using a variety of industry-standard methods including:

  • Voice or text to a phone – These options allow for sending either an automated voice call or text message to the user’s phone. The user can answer the voice call and press the # key on the phone keypad to approve their authentication. The text message has a verification code the user must type into the sign-in interface. “Call to phone” is a great backup method for notification or a verification code from a mobile app if the user cannot receive SMS texts on their phone. 
  • Push notification through a mobile app – A push notification is sent to an authenticator app on a user’s personal or corporate-owned device. The user views the notification and hits the “Approve” link to complete verification. Business IT leaders can set up push notifications using mobile apps such as Duo Mobile and Microsoft Authenticator for both Google Android and Apple iOS. However, if your users travel to China, note that push notifications on Android phones doesn’t work the same way there as they do in the rest of the world. This is a perfect real-world example of why you should always have multiple authentication options for your users. 
  • Hardware security keys Based on the open standards created by the Fast Identity Online (FIDO) Alliance, these small devices store an encrypted private authentication key unique to a user that often includes a biometric component such as a fingerprint. Because hardware keys must be in the possession of the user to authorize the MFA challenge, and the user’s login credentials are stored on the device rather than a server, this security model eliminates not only password theft but also phishing risks.

Even with MFA, You Can Still Get Hacked

Deploying multifactor authentication at your business does not guarantee an employee won’t be the victim of a cyberattack. Sure, MFA helps make users more secure; nothing can protect your employees against 100% of all methods of compromise. Speaking of percentages, there’s been a widely distributed statistic about the efficacy of MFA, claiming for years that it can stop 99.9% of attacks. But if you really think about it, that means every other possible type of attack—from phishing/malware, to insider threats, distributed denial of service (DDoS), and even cloud storage bucket misconfigurations—accounts for the 0.1% of successful attacks. Considering that most of the IT security professionals I’ve worked with estimate that unpatched software is the cause for the majority of successful cyberattacks, it’s obvious that 99.9% statistic is…well, let’s just say  “outdated.” 

The Cybersecurity & Infrastructure Security Agency (CISA) warned that bad actors were exploiting “default MFA protocols and a known vulnerability” to automatically enroll devices for multifactor authentication on corporate networks. The attackers would use a combination of stolen user credentials, automated policies for enrollment of MFA devices, and unpatched software to effectively bypass multifactor authentication and gain full access to the victim’s cloud storage and corporate email. To mitigate damage from these attacks, the best course of action is for an IT department to adopt and enforce zero trust access policies that include MFA as one part of a holistic security strategy.

Setting Up Multifactor Authentication Security at Your Business

The good news is that most providers of cloud-centric IT tools for business have multifactor authentication options for securing user accounts. For example, Microsoft 365 for Business subscribers get a free version of MFA in the cloud called “Entra ID multifactor authentication.” It is a full featured and highly configurable MFA option but is not enabled for all Microsoft 365 users by default. Entra MFA is just one of the many options IT managers and cybersecurity professionals can use to implement multifactor authentication for users. 

However, setting up MFA at scale is often difficult for overworked IT departments. The process can be painful for mid-sized organizations with 200, 500, or over 1,000 employees that don’t have a dedicated cybersecurity expert on staff. For these organizations, using a managed service provider like Blue Mantis can help quickly and successfully configure and manage a multifactor authentication environment. In addition, our cybersecurity experts can work as an extension of your existing IT department to reduce the attack surfaces of your cloud assets, corporate network, and hybrid workforce while improving ease of use for end users. 

Connect with Blue Mantis today and we can assess your current IT environment and recommend ways that MFA can secure your digital assets.

Jay Martin

Chief Information Security Officer

Jay Martin is the Chief Information Security Officer (CISO) and Cybersecurity and Risk Advisory Lead for Blue Mantis. His nearly three-decade career has been a mix of business leadership and information security. He helped establish InteQ Corporation, later acquired by Computer Associates, and co-founded Service Catalyst, which became a PwC acquisition, where he served as president and CISO. Both companies were leaders in IT transformation, cybersecurity, and governance risk and compliance.

At InteQ, Jay developed their Global Information Security practice, aligning compliance and regulatory requirements with financials, technology, processes, culture, and vendor partners. At Service Catalyst, he led strategic cybersecurity, operational readiness, BCP/DR, incident response, and ITIL/ITSM initiatives, working with Boston-area institutions like UMB Bank, T.J. Maxx, Harvard Business School, Logan Airport, and more.

During the implementation of the Affordable Care Act, Jay was tasked with enhancing the State of Vermont’s operational readiness, focusing on security incident response and ITSM practices. He managed the state’s cybersecurity plan of action and milestones after identifying deficiencies during a security control assessment.

As virtual CISO for Dunkin’ Brands International (acquired by Inspire Brands for over $15B in 2020), Jay managed cybersecurity and compliance activities, including vulnerability management, SOC/SIEM practices, third-party security risk, red team testing, and overseeing security in 8,000 stores.

Prior to joining Blue Mantis, Jay was Client Solutions Director and Cybersecurity Practice lead for Advizex Technologies, running their Emergency Incident Response Team and overseeing cybersecurity and compliance risk assessments.

Recent Blog Posts

View All Posts
9 min read

Understanding Your VMware Alternatives

By Tim Ferris
Modern Workspace 6 min read

How Our Technology Innovation Center Helps Simplify IT Device Management

By Scott DiGioia
Cybersecurity & Risk Management 7 min read

The Importance of Cybersecurity Awareness Month for Your Business

By Pete Harris