A guide to multi-factor authentication

The main benefit of multi-factor authentication (MFA) is that it significantly enhances your organisation's security by requiring users to verify their identity using more than just a username and password.

This makes it considerably harder for criminals to gain unauthorised access to your systems and data, as it requires additional validation of login credentials. Over 80% of cyber breaches involve weak or stolen passwords, MFA directly addresses this vulnerability.

Given that MFA is widely available at no cost and is now commonly required for cyber insurance cover, it is one of the simplest and most effective steps any organisation can take to protect its data.

What is it?

It is a verification system that requires a user to input more than one piece of information:

1. Something the user knows (knowledge that a criminal would not know) such as a password, PIN or other personal information such as your mother's maiden name or the road you grew up in.
2. Something the user has (such as a possession) such as a mobile phone.  A verification text with a number can be sent to the user's phone.
3. Something the user is (inheritance) biometric data, such as a fingerprint or face scan.  This is generally considered the most secure authentication factor, as these data points are completely unique to the user and cannot be replicated.

One Time Passwords 

A One Time Password (OTP) is often used by website to add an additional layer of security.  When a user creates a new account, they will also be asked to enter and verify their mobile number.  When a user's credentials are entered (usually from a different device or location) an SMS is sent to their mobile phone with a one time passcode to verify their identity before they can access the account.

OTPs can also be delivered via email, though this method is not recommended as a primary MFA option. Many users reuse passwords across accounts, meaning a compromised email account could undermine the security of other accounts protected by the same credentials.

Authenticator Apps

Authenticator apps, such as Google Authenticator, Microsoft Authenticator, and Aegis (an open-source alternative), generate time-based one-time codes and are a more secure alternative to SMS-based OTPs. SMS can be vulnerable to SIM-swapping attacks, making app-based authentication the preferred choice where possible. Take time to evaluate options before selecting an authenticator app for your organisation.

Passkeys: the next step

Passkeys are an emerging, passwordless alternative to traditional MFA that are gaining rapid adoption. Rather than entering a password plus a second factor, passkeys use device-based cryptographic authentication (such as a fingerprint or face scan) to verify identity in a single step. Major platforms including Google, Apple, and Microsoft now support passkeys, and they are increasingly recommended by the NCSC as a more phishing-resistant approach to authentication.

Where to implement MFA:

• Organisation's network and remote access (VPN)
• Pupil/student database (MIS)
• Email account
• Banking and financial platforms
• Sensitive online transactions
• Social media and communications tools

Support & Guidance:

The NCSC provides advice and guidance for multi-factor authentication implementation: NCSC Zero Trust Architecture

Review the Password Checklist on the DPE Knowledge Bank to check password security for your organisation.

DPE Customers:

Password Best Practice Area on the DPE Knowledge Bank.

Consider a password policy for your organisation.

Complete the Password Security learning nugget on the DPE Knowledge Bank.