Multifactor Authentication: The Change Worth Considering

In the past two years, we have seen change after change after change. It started with the world seemingly shutting down with most of us beginning to work remotely, then went to us wearing masks when we did go out and now, we’re trying to settle into what seems like our “new normal.” Changing the way we’ve always done something can seem like an uphill battle, but sometimes the battle of change is necessary. And a change that is necessary right now for credit unions is implementing multifactor authentication (MFA) methods.

MFA is an additional layer of protection that requires users to have at least two factors of authentication to sign into their accounts— both personal and business. These methods are typically broken down into three factors:

  • Something you know—your password, PIN number, etc.
  • Something you have—a token of some sort or an ID or something that’s in your physical presence
  • Something you are—your biometrics such as your face or fingerprint

With MFA, users can decide what factors to use when accessing their accounts. For example, they can choose to use a PIN and a security question even though both fall into the something you know factor. While 2FA, or two factor authentication, requires users to use two different factors. This authentication typically uses the something you know and something you have factors to allow users to access their accounts. 2FA is a more secure form of MFA, but both MFA and 2FA further protect users’ accounts – banking, personal email, professional email, other professional systems, etc.—from bad actors looking to gain access.

You’ve probably used MFA before and may not have even realized it. When you swipe your debit card to purchase items or retrieve money from your ATM, the card is something you have and the PIN is something you know. And companies like Yahoo and Google have implemented 2FA as an option for their users to increase their account security. So, if you have a Yahoo or Google account, 2FA is already available to you as an option. Since it is already in use in most instances, there’s a case to be made here on why it’s important for credit unions to implement MFA or 2FA methods for employees to access credit union systems like core and email and for members to access their online banking. Consider these factors when determining whether or not MFA or 2FA should be a change your credit union implements:

Weak passwords are still common. Encouraging employees and members to use strong passphrases is vital; however, you can’t force them to do so, and we know that weak passwords are still the easiest way for bad actors to gain access to accounts. Well, that and personal data on social media. Even if you have controls and policies in place like requiring users to change their passwords after certain periods of time and requiring passwords to be x-number of characters long with a specified number of lowercase, uppercase and special characters, you can’t guarantee that the password they choose is a strong password.

Likewise, you can’t guarantee that they’ll remember the passwords, especially if they have to change them every so often. So, if they save their passwords to Google when asked or if they write them down and stick them near their computers, bad actors could still use the password to gain unauthorized access to accounts. What you can do, though, is implement MFA or 2FA into your systems, requiring users to utilize these methods to access their accounts.

Bad actors are becoming more skilled at taking over accounts. At least once a week we hear of bad actors gaining access to consumers and business’ accounts all across the nation. If a weak password is being utilized and MFA or 2FA methods are not set up, a user and their company could be put at risk. But even utilizing a strong password or passphrase may not be enough, as bad actors can attempt to guess passwords through brute-force attempts or through any leaked data. With MFA, and especially with 2FA, it makes it more difficult for a bad actor to get any farther than a user’s password.

Smaller institutions are not excluded from these risks. These attacks don’t just occur at larger financial institutions; bad actors also target smaller institutions because they know these institutions are less likely to have strong security protections for a variety of reasons, including limited resources. However, MFA and 2FA are easy, cost-effective and secure methods to protect smaller financial institutions.

The higher your position is in a financial institution, the more likely you are to be targeted. Bad actors typically target executive-level employees because they have access to more sensitive information and more systems within the organization. The bad actors will then use this information—members’ financial information, social security numbers, home addresses, etc.—and sell it on the dark web creating significant problems for members and financial institutions. And once one email in the organization has been compromised, it can be easier for the bad actor to compromise other emails through phishing attempts. With MFA or 2FA methods in place, sensitive information can stay confidential.

In some instances, it is a regulatory requirement. Because of the sensitive information that financial institutions have on their members, 2FA is typically encouraged to comply with regulations in the financial industry. Think about it. Financial institutions have their members’ social security numbers, account numbers, home addresses, birthdays, workplaces, etc. all stored in their systems. With this information, identity theft and financial fraud can become a real possibility if this were to fall into the hands of a bad actor. And while the Sarbanes-Oxley (SOX) Act of 2002 and Gramm-Leach-Bliley Act (GLBA) don’t explicitly require 2FA or MFA, they certainly require stringent internal rules, and they require financial institutions to inform their members of how their information is being shared and protected.

These are just some of the factors your credit union should consider when deciding on whether or not to change how employees and members access their accounts and systems by implementing MFA or 2FA. The truth of the matter is financial institutions are a target for bad actors because of the information that they hold. Without MFA or 2FA, your financial institution’s system security is only as strong as your weakest password. And since both MFA and 2FA are relatively unobtrusive and easy to implement, it’s a change worth considering.


Robert Gentry works as an information security analyst for Vizo Financial Corporate Credit Union, providing information security risk assessments, security awareness training and incident response planning services to credit unions. Mr. Gentry also delivers tailored training and consulting services for credit unions, assisting them with their specific information security needs.