How to prevent 99.9% of account attacks on your online services

In today's digital environment, a simple password provides basic security but won't stop a determined attacker. Cyberattacks, data breaches, and phishing attempts are commonplace, and online services and mobile applications are particularly frequent targets.

According to research, up to 99.9% of attacks targeting user accounts can be prevented by implementing multi-factor authentication (MFA). This simple but highly effective measure is the single most important step in strengthening digital security.

Multi-Factor Authentication (MFA): Adding an extra layer of security on top of your password

MFA (multi-factor authentication) means that logging in requires a second verification method in addition to a password. This could be a one-time code sent to your phone, a physical security key, or a biometric identifier like a fingerprint or face scan. For one-time codes, Google Authenticator or Microsoft Authenticator apps are typically used because they are significantly more secure than a code received via text message.

The Benefits of Multi-Factor Authentication for Companies and Organizations

• Protection against data breaches and phishing: A stolen password is not enough to hijack an account.
• Securing remote work and cloud services: Only the right people can access company systems.
• Peace of mind: Important accounts remain protected even against automated attacks.

Securing a WordPress-based website with multi-factor authentication

WordPress is Finland’s most popular publishing platform and, therefore, one of the most common targets for attacks. Brute-force attacks, where bots in particular try to guess passwords, can be effectively stopped by implementing MFA. The problem with free plugins is their unreliability. For this reason, Hion uses an enterprise-level MFA solution from Auth0 for its implementations, which protects the entire login page (also from denial-of-service attacks) and provides SSO capabilities, but more on that later.

Multi-factor authentication in mobile applications

Users of mobile applications expect a smooth user experience. MFA can be implemented using biometric methods (fingerprint, Face ID) or push approvals, which are fast and secure for the user.

Single Sign-On (SSO): Security and seamlessness with a single login

Single Sign-On (SSO) allows a user to log in once and gain access to all the applications and online services they need. This is especially useful for companies that have multiple different systems, such as a WordPress website and separate Microsoft O365 credentials.

Benefits of SSO for Businesses and Organizations:

• Improved user experience and productivity: An employee can access all their tools with a single login.
• Fewer passwords, more security: One strong password plus MFA means fewer password leaks.
• Centralized management: When employees change roles, their access to all systems can be revoked at once. Roles and permissions can be set with AD groups.
• Lower support costs: Fewer support requests due to forgotten passwords and user creation.

The best protection is created by combining MFA and SSO

MFA and SSO complement each other perfectly. SSO provides ease of use for the user: one strong login is enough, after which all necessary services are accessible without new passwords. MFA, on the other hand, ensures that this single login is truly reliable – the user cannot log in with just a password but also needs a text message verification, an app code, or a biometric identifier.

When SSO and MFA are combined:

• It is significantly harder for an attacker to break in because a password alone is not enough.
• The user does not have to remember dozens of passwords or log into services separately.
• The administrator gains clearer control over access management and log data monitoring.

Typically, MFA is implemented in the same place where credentials are managed. In practice, this means access management through Google Workspace or Microsoft 365: when a user logs in once, verified with MFA, all associated applications benefit from the protection, and the user still gets a seamless experience.

NIS2 and access management

The EU’s NIS2 directive sets even stricter requirements for organizations’ cybersecurity. In practice, this means that multi-factor authentication is a mandatory part of risk management for many companies. In Finland, this applies especially to critical sectors, but as a best practice, it is relevant for every company and organization offering digital services.

It’s time to leave password-only logins in the past. MFA and SSO are the foundational security for digital everyday life, whether for WordPress site administrators, mobile app developers, or organizations utilizing Contentful.

Sources:

https://arxiv.org/abs/2305.00945 

https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/