The Importance of Email MFA and How to Implement it

Almost everything is digital nowadays — and email stands as one of the essential communication tools. It is an ultimate asset for businesses and individuals alike. However, it also presents a lucrative target for cybercriminals. Speaking from experience, many businesses have unfortunately fallen victim to email hacking and brute force attacks, a breach that can lead to severe financial loss, reputation damage, and a host of other issues.

To tackle this problem, let's turn our attention to Multi-Factor Authentication (MFA). MFA offers an incredible security measure that adds multiple layers of protection, substantially reducing the risk of unauthorized email access. Although no system can promise absolute security, implementing MFA greatly tilts the odds in your favor. Here’s an overview on MFA, why it's so crucial for your email security, and more importantly, how to get it up and running.

Email Hacking

Email hacking is often a result of targeted cyber attacks using sophisticated techniques. Phishing scams trick people into revealing their credentials. Malware infects systems to secretly capture keystrokes. Breached databases expose millions of passwords, which then find their way to the dark corners of the internet.

For businesses, an email hack can lead to catastrophic consequences. Not only is there a direct financial impact from theft and fraud, but an exposed email system can lead to the leakage of sensitive data. This includes client information, internal communications, financial records, and proprietary sensitive information. Such a breach erodes customer trust and damages the brand's reputation.

Think it can't happen to you? It's a common misconception that cybercriminals only target large corporations. In reality, businesses of all sizes are at risk. The 2020 Verizon Data Breach Investigations Report found that 28% of breaches involved small businesses. Furthermore, cybercriminals are increasingly deploying automated attacks, which means they can target thousands of businesses simultaneously with little effort.

This sobering reality underscores the need for strong email security measures, with MFA playing a key role. 

Traditional login methods, like usernames and passwords, represent single-factor authentication. You provide one piece of evidence (your password) to prove your identity. But this approach isn't foolproof. If your password is weak or gets stolen, your account is ripe for the picking.

What is MFA?

MFA is a security tool that demands more than one method of authentication. Simply put, it has multiple security layers to it. To unlock an account, you must present pieces of evidence from at least two separate categories. These categories are: something you know (like a password), something you have (like a physical token or a mobile phone), and something you are (like a fingerprint or face or voice recognition).

For instance, when you log into your email, you'll first input your password. Then, you may receive a code on your phone or use a fingerprint scanner. Only when these pieces fit together will access be granted. This also makes it much easier for the user experience — MFA is very straightforward. 

This multifaceted approach means that even if a hacker gains access to your password or does a log in attempt, they're missing the other pieces of the puzzle. As a result, your account stays out of reach.

The Benefits of MFA

According to a study by Google, an astonishing 66% of targeted attacks by cybercriminals could have been thwarted by MFA. These are attacks specifically crafted to infiltrate a particular individual's email, mind you. So, by enabling MFA, you're essentially slamming the door shut on two-thirds of potential breaches.

As you can probably grasp, MFA adds that extra layer of protection, making breaching harder. The keyword here is harder. Remember that you still have to have that secure core before anything else. MFA doesn't make your email impervious to attacks, but it does make your account a significantly harder target. Cybercriminals tend to go for the low-hanging fruit, and an account protected by MFA is anything but.

How to Setup MFA

You can simply set up MFA for your personal account through Google and Microsoft. 

Setting up MFA for Google Workspace for Administrators

Step 1: Notify users of 2-Step Verification deployment

Before deploying 2-Step Verification, communicate your company’s plans to your users, including:

1. What 2-Step Verification is and why your company is using it.
2. Whether 2-Step Verification is optional or required.
3. If required, give the date by which users must turn on 2-Step Verification.
4. Which 2-Step Verification method is required or recommended.

Step 2: Allow users to turn on 2-Step Verification

User accounts created before December 2016 have 2-Step Verification on by default

Let users turn on 2-Step Verification and use any verification method.

1. In your Google Admin console (at admin.google.com)...
2. Go to Menu   Security > Authentication > 2-step verification.
3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
4. Check the Allow users to turn on 2-Step Verification box.
5. Select EnforcementOff.
6. Click Save. If you configured an organizational unit or group, you might be able to either Inherit or Override a parent organizational unit, or Unset a group.

Step 3: Tell your users to enroll in 2-Step Verification

1. Tell your users to enroll in 2-Step Verification by following the instructions in Turn on 2-Step Verification.
2. Provide instructions for enrolling in 2-Step Verification methods:

• Security keys
• Google prompt, text message, or phone call
• Google Authenticator app
• Backup codes

Step 4: Track users' enrollment

Use reports to measure and track your users' enrollment in 2-Step Verification. Check users enrollment status, enforcement status, and number of security keys.

1. In your Google Admin console (at admin.google.com)...
2. Go to Menu  Reporting > Reports > User Reports > Security.
3. (Optional) To add a new column of information, click Settings Add new column. Select the column to add to the table and click Save.

For more information, go to Manage a user's security settings.

Learn more about turning on MFA for Google Workspace here: https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F175197%3Fhl%3Den&assistant_id=generic-unu&product_context=175197&product_name=UnuFlow&trigger_context=a

Microsoft 365 Multifactor Authentication Setup

If your business is subscribed to Microsoft 365, there here are the steps to setting MFA for your Microsoft 365 account:

1. Go to the Microsoft 365 admin center at https://admin.microsoft.com.
2. Select Show All, then choose the Azure Active Directory Admin Center.
3. Select Azure Active Directory, Properties, Manage Security defaults.
4. Under Enable Security defaults, select Yes and then Save.

To learn more, please see the video below and visit the following website: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide 

One quick tip while setting this up: always prepare a backup. You might lose access to your primary verification method (like losing your phone or changing your number). Set up a secondary method to ensure you're never locked out of your account.

Also, during the setup process, you'll usually be given backup codes. These are one-use codes that grant access to your account if all else fails. Keep them somewhere safe and offline, like written down in a secure location.