Email has made written communication much easier and faster, both for individuals and businesses. It is also considered relatively safe, thanks to the encryption of messages in transit. However, this should not give us a false sense of security. Email inboxes still can and often do get compromised, which may have serious consequences for the victim.
When not in transit, emails are stored as text. Gaining access to someone’s inbox means obtaining access to their correspondence, which often contains confidential information. Not only do we often send important documents as part of internal email communications, but we also use email to share and sign documents with applications such as DocuSign or EchoSign.
Free to use image sourced from Unsplash
An adversary who gains access to our mailbox can forge our signature on these documents. He can also impersonate us in communication with our friends, family, or work colleagues, potentially obtaining even more valuable data from them, or sending them messages with malicious content (such as malware or ransomware). A compromised employee inbox can thus affect many people in an organization, potentially causing significant harm.
So, how safe is email, and is there a way to make it more secure? The shortest answer is: the security of your email communications depends on your awareness of potential cyber threats and your ability to mitigate them.
Of course, individuals and organizations have different capacities to protect themselves against and respond to threats. Different solutions will be employed to secure a personal email account and, for example, a cloud contact centre solution. However, some measures can be taken by everyone at no, or almost no, additional expense.
One of these measures is multi-factor authentication (MFA), which will be discussed in detail in this post.
What is multi-factor authentication?
Normally, an email inbox is protected by a password set by the user and known by the user only. It is now widely known that this is not enough to protect the mailbox against cyber criminals, who can get hold of passwords using one of many password-cracking techniques, guessing weak passwords, or obtaining user credentials involved in data leaks on the dark web.
Luckily, it is usually possible to protect accounts (email, as well as other accounts, such as social media accounts, or online store accounts) with more than one authentication factor. When two or more forms of identity verification are required to access a user account, we are dealing with multi-factor authentication.
It adds an extra layer of security to the authentication process, making it more difficult for an adversary to gain access to an account, even if they know the password.
Free to use image sourced from Unsplash
How does MFA work?
Authentication factors can be classified into three categories:
- something you know (e.g. password)
- something you have (e.g. mobile phone, hardware token)
- something you are (e.g. fingerprint, retina scan)
Multi-factor authentication combines solutions from at least two of these groups. So, to log in to your email account, you may need to provide your password and a one-time code sent to your mobile phone in a text message or displayed in an authenticator app. These are the most common ways to add an extra layer of security to an email account.
These are not infallible, however. First of all, a phone can be stolen. Secondly, an adversary can get access to your text messages through SIM-swapping fraud or social engineering.
Of course, these fallible methods are still better than not having multi-factor authentication at all, however, more reliable solutions should be chosen when possible. This is especially true in corporate settings, where a breach can cause significant financial and reputational harm to an organization. Alternative authentication methods used in MFA may include:
- OTP tokens: hardware devices or software programs that generate single-use passwords or PIN codes (in some apps, a one-time password can be converted into a QR code that works just like a QR code on business card or product label).
- Smartcards: physical electronic authentication devices that can also exist in a digital form.
- Soft token software development kits (SDKs): software embedded into mobile apps that uses cryptographic methods to authenticate a device.
- Fast identity online security keys (FIDO2): passwordless authentication in the form of a USB drive or NFC device that can be plugged into a system.
- OATH software tokens: free, open-source authentication method using the RFC 4226 HOTP algorithm.
- Voice verification and other biometric techniques.
Admittedly, not all of these methods can be used to protect a mailbox on a personal computer. However, an employee’s business email account can be protected by a company authentication system that may utilize some of the more advanced authentication methods.
Of course, it must be noted here that multi-factor authentication will do its job only when it is applied consistently. Some people are reluctant to turn it on because it makes the sign-in process longer and slightly more complicated. Even if it takes organizing cybersecurity training for employees, it is a good idea to promote awareness of the benefits of MFA. Some experts suggest that companies should mandate it for work-related accounts.
Free to use image sourced from Unsplash
What are the benefits of MFA?
MFA is a simple but highly effective solution that can help you protect your personal email account and reinforce business email security in multiple ways. It should be implemented to:
- Secure accounts against hackers using stolen or cracked passwords.
- Protect against weak passwords (people tend to use passwords that are easy to remember and therefore also easy to guess; many people reuse the same password for multiple accounts).
- Enable other security measures to do their job properly (if a message with a file containing malware is sent from a compromised employee account to other employees who treat it as safe thinking it was sent by a colleague, the malware has bypassed other security measures that could have stopped it otherwise).
- Protect against threats to devices connected to external networks (employees logging into their work accounts while working from home use private and therefore less secure internet connections, which may allow for password theft);
- Comply with cybersecurity guidelines and regulations (some cybersecurity guidelines, such as NIST and CMMC, require the application of MFA).
As a non-invasive and simple measure that can be used to enhance the protection of nearly any business software or system, MFA can also be applied for the sake of convenience. Since it is compatible with single sign-on, it can eliminate the need for multiple passwords for different applications. So, it can make life easier, right alongside auto dialler software and other automation tools.
MFA best practices
When used correctly, MFA is one of the most effective methods of protecting data against unauthorized access. Whether you use it to secure a private email account or a user account on a company system, there are some MFA best practices that are worth bearing in mind when you want to achieve the best results with multi-factor authentication.
- using a variety of authentication factors;
- taking user convenience into account;
- implementing MFA across the enterprise to minimize exposure to attacks;
- using MFA in combination with other security tools;
- making MFA context-sensitive (additional authentication factors may be required on some devices but not on others); and
- regularly assessing the effectiveness of MFA solutions applied and adapting them to the changing environment.
Screenshot taken by author
Protect your email now!
Most of the popular email service providers, such as Google or Yahoo, offer multi-factor authentication. The MFA setup process is fairly simple. If you need assistance, there are numerous text and video guides available online to help you. So, if you haven’t set up MFA for your email yet, it’s definitely time to do it. MFA means safer online communication and more peace of mind!
John Allen – Director, SEO, 8×8
John Allen is a driven marketing professional with over 14 years of experience, an extensive background in building and optimizing digital marketing programs across SEM, SEO, paid media, mobile, social, and email, with an eye to new customer acquisition and increasing revenue.