Multi-factor authentication: What accounting firms need to know

By Rosalyn Page

In the digital world, where transactions happen at the speed of a click, accounting firms need comprehensive security controls to protect their systems. 

Unauthorised access can trigger a cascade of threats, risking data and financial loss, regulatory penalties and reputational damage.

With sophisticated attacks on the rise, it is important to understand best practices for implementing multi-factor authentication (MFA) and the different levels of security protection it can offer.

How MFA works

MFA is a secure process that adds another credential to the traditional username and password login method. This credential can be something the user has (such as a security token), is (biometric verification), or knows (a randomised code).

“MFA acts as an essential line of defence, especially critical in the financial sector where trust and privacy are the cornerstones,” says Jason Lau, chief information security officer at crypto.com and board director of IT governance firm ISACA.

However, MFA is not infallible. It is only one of the baseline fundamentals that organisations should consider using to defend against many sophisticated actors, according to the Microsoft Digital Defense Report 2022. 

MFA is integral to an organisation’s overall cyber security strategy, Lau says. 

“It dovetails with the principles of zero trust architecture, which do not assume trust, so they verify at each step to reinforce that authentication is one component.”

In the context of financial operations, MFA is a compliance imperative to mitigate risk. It aligns with regulatory frameworks such as Sarbanes-Oxley (SOX) for financial reporting and the Payment Card Industry Data Security Standard (PCI DSS) for payment security, which emphasise the importance of access controls and information security in financial environments, according to Lau.

“Finance executives should note that while MFA significantly enhances security, it must be integrated within a defence-in-depth strategy, as mandated by these standards,” he says.
MFA best practice

An understanding of MFA best practices is vital for accounting and financial businesses, because not all types of MFA credentials offer the same level of assurance, and each has its own strengths. 

Biometric MFA, such as fingerprints, retinal scans or face ID, is typically regarded as providing the strongest assurance level, because it is harder to compromise biometrics than email or SMS codes, says Neil Lappage, security adviser with ITC Secure in the UK.

The most robust option is to implement phishing-resistant MFA, where the second factor is biometric combined with a code that can only be provided by an approved system, according to Lappage. 

“If the code can only come from a pre-approved system, and the biometrics are required, then the risk is lower,” he says.

For businesses that use Microsoft systems, deployment of its Identity Protection technology is key, because it forces the user to re-authenticate immediately if their account has been compromised. This in turn forces the attacker to disconnect. 

“This a very important safety net that very few small businesses implement, since they are not aware of the risk and benefit of using this technology,” Lappage says.

Stopping invoice fraud

MFA can be overcome by attackers, particularly where SMS or email-based codes introduce vulnerabilities that can be susceptible to phishing attacks. 

Invoice fraud is the biggest risk that any organisation faces today, Lappage says. Invoice fraud typically starts with a phishing email that requests authentication using a password and second factor. 

“The challenge with these attacks is that attackers are stealing both password and MFA tokens to access an employee’s mailbox, and the attacker and the employee can exist in the mailbox at the same time when authentication is breached,” Lappage says.

This type of attack can bypass MFA if it is not phishing-resistant, allowing the attacker to gain access and set up a secondary authenticator to maintain access to the mailbox along with the user. 

The goal could be to find and modify invoices to suppliers or direct funds to a rogue bank account and then quickly send the funds offshore.

Such attacks can affect organisations of any size, so MFA needs to be deployed properly by a security professional. 

“The attacker is able to set up such bank accounts with stolen identity documents, and once the funds are gone, it is very hard to get them back,” he says.

Spotting security blind spots

Another prevalent risk is an attack that compromises the service accounts used for printers or other devices within an organisation. 

“These systems usually do not allow MFA to be implemented, so a third-party solution is required to ensure that MFA is implemented in these situations,” Lappage says.

Security professionals like Lappage know bad actors are finding new ways to attack organisations. 

“Two years ago, people generally thought that MFA was adequate, but now it is not enough, so we need to keep an eye on the attackers’ techniques and procedures to keep ahead of them.

“The challenge is to know where the risky blind spots exist and shut them down, in a cost-effective, pragmatic way,” he says.

6 steps to implementing MFA

1. Choose MFA solutions that meet industry standards, such as SOX for internal controls and PCI DSS for payment security, and favour those that offer phishing-resistant features.
2. Understand the organisation’s cyber risk, so that the right controls can be applied to protect information. This includes applying the appropriate strength of MFA.
3. Raise awareness about the importance of MFA and train employees to recognise and respond to security threats.
4. Ensure that the IT team or managed service provider is monitoring for compromised accounts and responding accordingly.
5. Develop a comprehensive security framework that includes MFA as part of a broader risk management strategy, in line with the expectations of a zero trust model.
6. Implement technologies to protect blind spots around service accounts and other gaps.