The 5 Reasons Why Multi-Factor Authentication Isn’t Strong Enough for Accounting Firms

In today’s digital age, cybersecurity is more important than ever, especially for accounting firms who deal with sensitive client data.  

Multi-Factor Authentication (MFA) is a widely adopted security measure, this helps most accounting firms feel safe, but is it enough…  

Together we will explore why MFA is so popular and widely used, and what additional security steps you need to take to protect your firm.  

Understanding Multi-Factor Authentication 

Multi-Factor Authentication involves using two or more independent credentials (or proof points) to verify a user’s identity. These typically include something the user knows (password), something the user has (smartphone or token), and something the user is (fingerprint or facial recognition). 

The appeal of MFA is when it was introduced it was the latest, and safest way to protect your login information from hackers – but hackers have since improved and have learnt how to get around this barrier.  

Why Is MFA Still Popular? 

  1. Enhanced Security: MFA adds an extra layer of security compared to single-factor authentication. 
  2. Ease of Use: Many users find MFA relatively straightforward to use, and most of us are already using MFA in our private lives, not just work lives so it is an easy introduction in a business setting.  
  3. Cost-Effective: Implementing MFA is often cheaper (if not free) than other more robust security measures. 

Despite these benefits, MFA isn’t a silver bullet, especially for accounting firms.  

The 5 Limitations of Multi-Factor Authentication 

1. Phishing Attacks

MFA can be vulnerable to sophisticated phishing attacks. Cybercriminals can create fake login pages to capture credentials, and then trick users into providing their second factor, gaining full access. We often hear of this more frequently happening in a consumer setting, but we see it happening to business more frequently.  

2. Man-in-the-Middle (MitM) Attacks 

In MitM attacks, hackers intercept the communication between the user and the authentication system, potentially bypassing MFA. This type of attack is becoming increasingly sophisticated, and we know of cases where it has taken weeks for the breach to even be spotted – in one case an entire company’s payroll was sent to the scammer’s account.  

3. SIM Swapping 

For MFA methods relying on SMS or phone calls, SIM swapping can be a major risk. Hackers can trick mobile carriers into transferring the victim’s phone number to a new SIM card, thereby receiving the second-factor authentication codes. This is why when setting up MFA we recommend using an authentication app rather than a phone as it will tie to the specific phone not a number.  

4. Insider Threats 

Accounting firms are particularly susceptible to insider threats. Employees with legitimate access can misuse their privileges, making MFA ineffective against such internal risks. Or it could be a bad break-up with a partner who wants to take confidential data with them when they leave.  

5. User Fatigue 

Repeated MFA prompts can lead to user fatigue, causing employees to seek ways to bypass security measures. This complacency can weaken overall security. Afterall, cybersecurity is not just an IT problem, it is also a people problem, and the entire company must be aligned to stop threats.  

Advanced Security Measures for Accounting Firms 

MFA still has a place in the modern accounting firm, but it should be augmented with additional security protocols and systems to build a vault to secure data. 

1. Passwordless Access 

You may be thinking passwordless – is that even a thing? The answer is yes it is! This is one of the more modern technical developments that allows users to access accounts and data through verified means. Essentially, you are storing and managing access in an encrypted vault which you then access with registered smartphones or biometrics. This will be the future of password-management and is currently something criminals have not figured out how to crack. 

2. Behavioral Analytics

This is just a fancy way of saying, monitoring the digital behaviors of your staff – or to be more precise when and where they login to applications. This is not designed to check on the workflow or productivity of staff, but a means to identify unusual login locations, times, or activities. It is a way you can act quickly if someone does get in, you know what has been accessed, where and when.  

We always recommend looking into either IP locking access or restricting access to certain countries.  

3. Biometric Authentication

While not infallible, biometric authentication adds another layer of security. Combining biometrics with other factors (multi-modal authentication) can significantly enhance security. This can be done with a smartphone you register for this app and makes it much harder for a would-be criminal to access your account.  

4. Regular Security Audits

Conducting regular security audits helps identify vulnerabilities and ensures compliance with the latest security standards. This proactive approach is crucial for maintaining a robust security posture. This can be done with your cybersecurity partner helping to ensure you stay ahead of criminals and on top of your firm’s security, whilst you focus on your business.  

5. Data Encryption

Whenever we bring up encryption a lot of accountant’s eyes either glaze over or become terrified of the potential cost of encrypting all their data. But it doesn’t need to be a major cost or project if you encrypt the login point or access to the data. 

If you encrypt the passwords and embrace a passwordless infrastructure the very access points to the data is made much safer solving the need for intense data encryption – but always make sure to not leave data lying around and keep it in a trusted location such as SharePoint.    

Beyond Multi-Factor Authentication 

While Multi-Factor Authentication is an important component of cybersecurity, it shouldn’t be the only line of defense for accounting firms. By understanding its limitations and implementing additional security measures, you can help create a more secure environment.  

If you want to learn more about how we can help add the additional layer of security your firm needs, book a time to chat with us