SMS, App, or Security Key: Which MFA Method Is Right for Your Business?

Your practice manager logs in to your cloud accounting system at 9am on a Tuesday. What she does not know is that someone in another country logged in as her at 3am, using a password stolen months ago in a data breach she never heard about. By the time anyone notices, client records have been accessed and files have been encrypted. The ransom demand arrives by email before morning tea.

Stolen passwords are behind more data breaches than any other type of attack. And with most business systems now cloud-based - email, accounting, file storage, practice management - a stolen password is often all a criminal needs. Once they are in, they can read your emails, impersonate your staff, access client files, and in the worst cases, lock you out of your own data and demand payment to get it back.

Multi-factor authentication, or MFA, is the most straightforward way to stop this. Even if a criminal has a valid username and password, MFA requires a second form of verification before the login goes through. Without that second factor, they cannot get in. What most businesses do not realise is that not all MFA is equally effective - and the most convenient option is also the least secure.

There are three main methods. SMS-based MFA sends a code to your mobile phone by text message. It is the most familiar and easiest to adopt because everyone already knows how to receive a text. The downside is that it is also the most vulnerable. There is malware capable of cloning SIM cards, which means an attacker who targets your staff could intercept those messages. For most everyday accounts it is still far better than nothing, but for sensitive systems it is not the strongest option.

App-based MFA uses an authenticator app - installed on a phone or computer - to generate or receive a code. This sits in the middle ground. It is more secure than SMS because the code is tied to the app on a specific device rather than a phone number, and it is still reasonably convenient for staff once they have it set up. A Google study found that app-based MFA blocked between 90 and 100 percent of automated attacks, compared to 76 to 100 percent for SMS. For most professional services businesses, this is a sensible default.

Security keys are the most secure option. These are small physical devices that plug into a computer or phone to complete the login. The same Google study found security keys blocked 100 percent of all three attack types tested. The tradeoff is convenience - staff need to carry the key with them, and a lost key creates a real practical problem. For staff with access to highly sensitive client data, the extra protection is worth it. For everyone else, app-based MFA usually hits the right balance.

Getting MFA set up properly across your business is not complicated, but it does need to be done in a way that works for how your team actually operates. That means choosing the right method for each system, making sure staff know how to use it, and having a recovery process in place for when someone loses a phone or changes devices. A managed IT provider for professional services businesses can handle all of that without disrupting your day. ITstuffed sets up and manages MFA for professional services businesses across Canterbury as part of a broader approach to keeping your business secure.

If you are not sure whether your current setup is protecting you as well as it should, ITstuffed offers a 15-minute IT Fit Check - a quick conversation to identify where the gaps are. Book one here.