Complex passwords vs. multi-factor authentication

Whether you are a private individual or an entrepreneur, nobody wants hackers to gain access to confidential data or online accounts. Increasing remote working and the growing complexity of login methods not only increase the security risk, but also the need for reliable protection. So the question remains: complex passwords vs multi-factor authentication – who wins the race?

For many people, passwords are still the first choice for protecting their accounts and data. Unfortunately, passwords are easy to hack and the user is often the biggest weak point. For convenience, simple passwords or even the same passwords are used for several accounts and are usually rarely or never renewed. The use of password managers can be a practical solution here. But is this the most secure solution to protect your data? Are there practical alternatives?

These questions and more are answered below.

Password managers are programs that manage user names and passwords. Password managers use encryption and a complex master password to securely store the individual passwords. It's like a notebook that you have locked away in your desk drawer and whose contents are only visible to you.

Your big advantage: Instead of many different passwords, you only have to remember one master password.

However, if your password manager is hacked, all passwords and the data protected with them are gone at once. With cloud-based programs, you usually entrust all your sensitive data to a company. In this case, it is important to check in advance which data protection laws the data is subject to at the respective location and what risks exist for you.

MFA stands for multi-factor authentication. As the name suggests, more than one factor is required during the login process. During the login process, the user is asked to carry out a further identification procedure, e.g. entering a code on the smartphone or using a fingerprint. However, complex security checks can slow down the process and there is a tendency to speed up the process or bypass the rules. The solution is user-friendly operation and selection of the most suitable authentication methods for the respective purpose. Four factors can be applied to an MFA:

• Possession (personal device)
• Knowledge (e.g. PIN)
• Location
• Biometric features (facial recognition, retina scan or fingerprint)

But be careful! Not all MFA is the same. A basic problem with traditional MFA solutions is that passwords are usually still used in the authentication process. Although some banking apps use biometric facial recognition of the cell phone, they still ask for a supporting password in the second step.

An MFA only offers the highest level of security if it works completely password-free and is resistant to phishing, i.e. secure against fake emails or websites.

Biometric factors in particular are extremely valuable as an authentication factor, as they are very difficult to hack or steal compared to a password. Combined with an individually generated PIN for each use case, which remains on the user's private device, this offers a comparatively high level of security.

An optimal passwordless MFA also uses the solutions already integrated in many laptops or smartphones, such as Touch ID, Face ID or Windows Hello. The highest possible level of security is also achieved if the MFA takes effect when you log in to the desktop before you have reached a level with sensitive data.

No security measure in the world offers 100% protection. Basically, you always have to weigh up how much effort you want to put in for the associated risk.

Using a password manager is always more secure than using common passwords repeatedly. Which program offers you the best security often depends on the respective use and the end device.

The MFA is a significant improvement over a standard password-protected login. Passwordless MFA should be used for all systems where you can log in from the Internet. The more factors are used for authentication, the more secure your data is. If the MFA solution is also easy for you to use, nothing stands in the way of smooth operation.

Is an organization-wide change from password to MFA necessary? How do you analyze which procedure makes the most sense in your company?

In the end, the decision and the resulting consequences are up to you. What do you need to consider?

What security levels are there in my company? Do we operate on a single track or do the different security levels also require different complex types of encryption? What are the costs for IT? Which providers are even worth considering? Do I have enough capacity for these steps?

So there is a lot to weigh up and check again and again.

Why not make it a little easier for yourself? How about researching which processes and which provider might suit YOUR company?

Please feel free to contact us!