Multi-Factor Authentication (MFA): What you need to know and how it affects your business

17 January 2020

The 2020 agenda for any board member responsible for IT will surely include data and user security. Introducing a more robust IT log on, protection of users will be guaranteed, and risks of hacking or data theft can be decreased. IT security is extremely important for every IT Director but if not coming from a technical IT background, then it might be difficult to tackle such problems.


At BDO our team has extensive experience supporting IT decision makers to assess their requirements and deliver effective solutions. In this article we aim to share our knowledge of MFA and Payment Services Directive to provide clients with summary information to allow them to start planning their projects.


What is PSD 2

PSD2 is the second Payment Services Directive, designed by the countries of the European Union. It has the potential to change the payments industry as we know it, affecting everything from the way we pay, to what data is shown when making payments. Moreover, it is also designed with the aim to increase the security of online payments.


Here’s what you need to know to ensure your business is ready.


What’s required and by when?

Multi-Factor Authentication (MFA), is at the centre of PSD2. To adhere to this, companies will need to update their online payment process to include at least two of the following authentications:

  • Something you know (usually a password)
  • Something you have (a trusted device, like a phone)
  • Something you are (biometric information, like a fingerprint)


This layered approach means that even if a user’s password or card details are revealed, the data is useless without access to the second authentication step. Banks have already deployed MFA prior to the PSD2 deadline, although they have named it Strong Customer Authentication (SCA). Business banking providers may supply customers with a dongle for the ‘something you have’ element, or a fingerprint reader for the ‘something you are’ element.

For online banking the changes must be completed by 14 March 2020. For online shopping, the card issuers, payment firms and all businesses that take online payments have until March 2021 to implement the framework. Organisations which are not yet working towards compliance, then they start thinking on how to implement it now.


How else can Multi-Factor Authentication help?

In addition to PSD2, in a world of remote working, cloud collaboration and an expanding digital inventory, information is a developing danger of attacked online. A security breach is always a risk when passwords are used as the only authentication method.  A brute force attack can generate billions of passwords per second. When an attacker gains access to a company’s system without detection, that hacker will have much more than three attempts to hack the system. Moreover, where there’s a password, there’s a password database, encrypted or not, given enough time, a captured password database will be cracked.


That’s why organisations need to contemplate on whether to implement MFA for their cloud services and whenever an employee connects to a service over the internet. This could be as simple as;

  • Entering a one-time password (OTP) sent by the server to a phone or email address
  • Swiping a card and entering a PIN
  • Swiping a card and scanning a fingerprint
  • Connecting a USB dongle to generate an OTP


This added layer of security is relatively straightforward to implement. Many applications even come with the technology built in. If a company makes use of Microsoft 365 Business or standalone Office 365 licenses, then it is already designated to a free version of Azure multi-factor authentication as part of its subscription. Adding to this, to make implementation as easy as possible, conditional access options allow you to exclude specific employees from MFA verification.


Putting it all together

Board members in charge of IT should explore the ways in which MFA can help keep data secure, whether PSD2 affects their business or not. If a business’s payments are taken online, finance teams need to implement the necessary changes by March 2021 or transactions will be declined forever. Perhaps such members of the board can also re-acknowledge the services used which only allow for single-factor authentication. Businesses should Designate someone to revisit their digital security strategy and use the information to develop a framework for compliance and control. It is these elements that will help to protect future business performance of businesses.


The BDO difference

Here at BDO, we understand the challenges that the non-technical board member faces when they become responsible for IT. Our Technology Advisory Service (TAS) team has an extensive hands-on track record of delivering strategic, operational and technical IT advisory services. We’ve developed our services with the non-technical board director in mind and we provide management and support services to suit each client’s needs.


Learn more about BDO’s IT services and get in touch today.