How to Choose the Best MFA Option for Your Business

How to Choose the Best MFA Option for Your Business

Passwords suck.

You heard that right. They suck because they’re too easy to guess. They’re also pretty easy to crack open.

How easy you ask? One blockchain engineer used open-source software and a GPU to guess 14 million leaked passwords. For $18.

Mere passwords no longer do the trick. Just ask the 99.9% of compromised accounts that only relied on passwords as their credentials.

That was the bad news. The good news is that those 99.9% of leaked passwords we mentioned? They can be stopped with an additional security measure multifactor authentication (MFA).

What is MFA?

Multifactor authentication is like using another, wholly unique lock for your accounts. We say unique because there are multiple MFA options you can choose from:

  • Something you know - like a secret word or code
  • Something you have - like a secret employee card or USB drive
  • Something you are - like your picture or fingerprints.
  • Somewhere you are - it only works if you’re at the right location

Think of it like using multiple locks for your online or corporate accounts.

Types of Multifactor Authentication

Something You Know

There’s a reason why passwords are the most commonly used authentication method. They are easy to deploy and do not require specialized equipment or software to work.

Passwords are also a type of Something You Know factor. They’re easy to guess but if paired with an additional Something You Know factor, your accounts are more difficult to break into.

MFA examples that rely on Something You Know factor:

  • Security Questions - These are questions with answers that only the user would know (e.g., mother's maiden name, first pet's name).
  • PINs - A numeric code used to authenticate a user.

Something You Have

This factor involves a physical object that the user must possess.

Think of it like having a key to a door that only you can open.

MFA examples that rely on Something You Have factor:

  • Smartphones: Used for receiving OTPs (One-Time Passwords) via SMS or apps like Google Authenticator or Microsoft Authenticator.
  • Security Tokens: Hardware devices that generate OTPs, such as RSA SecurID tokens.
  • Smart Cards: Physical cards that store authentication data and require a reader.
  • USB Keys: Devices like YubiKey that authenticate users when plugged into a computer.

Something You Are

This factor is something straight out of spy movies. Something You Are factors rely on biometric characteristics unique to the individual, making them nigh impossible to fake.

MFA examples that rely on Something You Are factor:

  • Fingerprint Scanning: Relies on the unique patterns of an individual's fingerprint.
  • Facial Recognition: Uses the unique structure of an individual's face.
  • Iris or Retina Scanning: Scans and verifies the unique patterns in the colored part of the eye or the retina.
  • Voice Recognition: Processes the unique characteristics of an individual's voice.

Somewhere You Are

This factor involves the location from which the user is attempting to access the system. Somewhere You Are factors are recommended for very sensitive purposes.

MFA examples that rely on Somewhere You Are factor:

  • GPS Location: Works by determining the user's location via the GPS coordinates of their device.
  • IP Address: Verifies the user's location based on the IP address they are using.
  • Wi-Fi Positioning: Uses the Wi-Fi network the user is connected to for location verification.

Choose the right MFA option for your business

We’ve established that MFA relies on multiple factors to allow access into a system.

Instead of using just one type of MFA option, it is recommended to mix and match them based on your business use case.

Every business is different with its unique security requirements. Here’s how you can choose one that is best for your needs.

Banking or Fintech App (for transactions):

  1. Password (Something You Know)
  2. OTP sent to smartphone (Something You Have)

Why this combination?

  • Password: A standard and familiar form of security that users are accustomed to.
  • OTP is sent to smartphone: Adds a layer of security by requiring possession of a physical device, making it difficult for attackers who don't have access to the user's phone.

Business Benefit

  • Enhanced security: Combines knowledge (password) with possession (phone), making unauthorized access highly unlikely.
  • User convenience: Users are generally comfortable with receiving OTPs via their smartphones, making it user-friendly.
  • Compliance: Meets regulatory requirements for securing sensitive financial data.

Corporate Network Access (for offices):

  1. Smart Card (Something You Have)
  2. PIN (Something You Know)

Why this combination?

  • Smart Card: Provides a physical token that must be present, adding a strong barrier to unauthorized access.
  • PIN: Ensures that even if the smart card is lost or stolen, it cannot be used without knowing the PIN.

Business Benefit

  • High security: Ideal for protecting critical internal systems and sensitive corporate information.
  • User accountability: Tracks individual access, reducing the risk of insider threats.
  • Scalability: Can be easily deployed across large organizations with centralized management of smart cards.

High-Security Environments (for sensitive and proprietary data):

  1. Password (Something You Know)
  2. Security Token (Something You Have)
  3. Facial Recognition (Something You Are)

Why this combination?

  • Password: Basic layer of security.
  • Security Token: Generates a unique OTP, requiring physical possession of the token.
  • Facial Recognition: Uses unique facial features for a strong biometric check.

Business Benefit

  • Maximum security: Suitable for environments where security is paramount, like data centers or executive access.
  • Defense in depth: Multiple layers of security ensure that breaching one factor doesn't compromise the system.
  • Compliance and trust: Demonstrates commitment to security best practices, building trust with clients and stakeholders.

Location-Based Access:

  1. Password (Something You Know)
  2. IP Address verification (Somewhere You Are)

Why this combination?

  • Password: Basic security measure.
  • IP Address Verification: Adds a geographical check to ensure the access is coming from an expected location.

Business Benefit

  • Contextual security: Enhances security by only allowing access from specific locations or networks.
  • Fraud prevention: Helps detect and prevent fraudulent access attempts from unusual locations.
  • Ease of implementation: Simple to set up with existing network infrastructure.

These combinations are intended to give you an idea how to rethink security measures you’ve deployed. They can be combined with your existing infrastructure in place to ensure optimal security.


Multifactor authentication can help businesses significantly cut down on data breaches and cybersecurity incidents. The best investment you can make to bolster your security posture is by investing in methods like MFA, suplemented by user awareness training and education. Gamified cybersecurity awareness training can be a great way to get stakeholder buy-in for new security measures like MFA.