UPDATED JANUARY 2021
Multi-factor authentication (“MFA”) has emerged as an important tool to provide an additional level of verification beyond user passwords to protect information systems and user data. The goal of MFA is to verify identity and to make sure that the person logging into an account really is the person they are claiming to be. MFA is one of the easiest things you can do today to significantly increase the security of your church staff and their accounts. Overall, we strongly believe that MFA is a vital element in any comprehensive approach to security.
Passwords Aren’t Enough
Why is this necessary? Security experts know that passwords alone simply are not an effective deterrent to cybercrime and security breaches, because there are so many problems with the way that most people handle their passwords, from creation to use.
The most common password mistakes include:
- Using easy-to-guess passwords, e.g. birthdays, addresses, pet names, etc.
- Writing and/or storing their passwords in easy to find places (hint: the sticky note on your monitor or desk is not secure!)
- People share their passwords with others.
- Many people use the very same password for all or multiple services, applications, devices, accounts etc., thereby creating unnecessary exposure for themselves in many important areas of their life and work.
- Many have unwittingly provided their password via spoofed sites or phishing emails that are created to steal these passwords.
As a result, passwords are stolen and compromised all of the time. Your own passwords may very well be compromised and residing on a list of thousands of other stolen passwords for sale to those who would use them for negative purposes.
How Does MFA Work?
So what does that have to do with your church? Well, churches maintain a lot of personal data, including very sensitive data about member’s giving and financials, staff social security and payroll data, and pastoral counseling notes. The church staff has to be able to trust that systems are secure and working properly so that they can perform their ministry jobs. A breach could be harmful, embarrassing and costly. This is where multi-factor authentication comes in.
MFA provides a second layer of security by adding a step to the sign-in process when someone uses their password to log in to an MFA-enabled account. How does it work? Typically, MFA employs a code that is updated on a timer. This code is sent to the user’s trusted secondary device via a text message (or a pre-downloaded app) when they use their password to log into a MFA-enabled account. The user is prompted to enter the current MFA code. Without using the MFA code or the verification app, access to the account is prevented, regardless of whether a user has the proper password. There are typically multiple options for delivery, including text, email, or app, for the user’s convenience.
While it can be argued that MFA adds a basic level of complexity to the log-in process and the need for some basic user training, the benefits of the level of security it provides to user accounts is far greater than these small adjustments. The main “barrier” is the necessity of a smart phone or secondary device, but is safe to say that almost everyone has one of those these days. When you really break down the process, it is quite simple and user-friendly. It simply makes it harder for OTHER people to log in to your account. Not every single product and platform supports MFA, but it is our best practice recommendation that if MFA is an option, you should enable it.
At this point in the cybersecurity game, Multi-Factor Authentication is a necessary element of a basic user-security setup. The minor inconveniences of a slightly longer sign-in process and training are far outweighed by the extra level of security it provides. Of course, it is not a “silver bullet” that will solve all of your problems. MFA covers breaches at the log-in step, but it does not cover voice phishing, physical security, a lost USB stick, or an end-user falling for social engineering tricks. Tools like MFA must be coupled with solid end-user security awareness training, the most important layer of security to which organizations must give their attention. Awareness of the types of schemes employed by cyber criminals and others who would cause harm is the most effective protection against security threats. Nevertheless, MFA is an effective, accessible and easily-implemented step in creating a more secure environment for your church.
Enable Ministry Partners has helped several churches seamlessly implement MFA and other security measures within their organization, and we are more than happy to talk with you about what this could look like for your church! For more information, email [email protected].