What is multifactor authentication (MFA) and why is it required?

Answer

MFA requires additional verification beyond passwords to access devices or accounts, protecting systems by requiring two or more authentication factors.

What Is Multifactor Authentication

MFA is a security tactic that requires additional verification beyond just a password to access devices or accounts. Instead of relying solely on something you know (your password), MFA requires a second factor from a different category.

The three authentication factor categories are:

• Something you know (passwords, PINs, security questions)
• Something you have (physical authenticators, smartphones, security keys, smart cards)
• Something you are (biometrics like fingerprints, facial recognition, retina scans)

Two-factor authentication is a specific type of MFA using exactly two different factors; MFA can involve two or more factors.

A Real-World Analogy

Think of MFA like the dual-control procedures banks use for safety deposit boxes—you need both your key and the bank's key to open the box. Even if someone steals your key, they can't access the box without the bank's key.

Similarly, even if an attacker obtains your password through phishing, keylogging, or a data breach, they still can't access your account without also having your physical phone or security key to provide the second factor.

Why Passwords Alone Are Insufficient

Passwords have fundamental weaknesses that make relying on them alone increasingly dangerous. Users often choose weak passwords that are easy to guess or crack using automated tools.

Even strong passwords get compromised through several methods:

• Phishing emails tricking users into entering credentials on fake websites
• Keylogging malware capturing what you type
• Data breaches exposing password databases from other services (and users often reuse passwords across sites)
• Shoulder surfing where someone watches you type your password
• Social engineering where attackers manipulate people into revealing passwords

Once a password is compromised, the attacker has full access to everything that account can reach. MFA dramatically reduces this risk because even if your password is stolen, the attacker still can't get in without the second factor.

CPCSC Level 1 MFA Requirements

For Level 1, MFA is specifically required for privileged accounts (administrators, users with elevated system rights, personnel who can modify security settings) and for systems that store Specified Information.

This risk-based approach focuses MFA protection on the highest-value targets—accounts that can do the most damage if compromised and systems containing the information adversaries most want to steal. Organizations may choose to implement MFA more broadly across all accounts for improved security, but Level 1 mandates it at minimum for these critical areas.

Implementation Options

Organizations can satisfy MFA requirements through several approaches:

• Authenticator apps (like Google Authenticator, Microsoft Authenticator, Authy, or Duo) are the preferred method—these smartphone applications generate time-based codes that change every 30 seconds, providing something you have (your phone with the app) plus something you know (your password)
• SMS-based verification is acceptable, where the system texts a code to your phone that you enter after your password, though this is less secure than authenticator apps because SMS can be intercepted through SIM swapping or other attacks
• Hardware security keys (like YubiKey or Titan Security Key) are physical USB or NFC devices that must be inserted or tapped to verify your identity, providing strong authentication but requiring organizations to purchase and manage the physical devices
• Smart cards with certificates provide strong authentication common in government environments but have higher implementation costs
• Biometric authentication (fingerprint or facial recognition) combined with passwords satisfies MFA, though this is typically implemented at the device level (unlocking your laptop) rather than for individual accounts

User Experience Considerations

Implementing MFA introduces a small amount of additional friction in the login process—users must perform an extra step rather than just entering their password.

However, modern MFA implementations minimize this burden through several features:

• Trusted device registration allows marking personal devices as trusted so MFA isn't required for every single login from that device, only periodically or when something changes
• Remember options reduce frequency of MFA challenges for routine access
• Push notifications allow simple "approve/deny" taps rather than typing codes
• Single sign-on (SSO) systems let users authenticate once with MFA and then access multiple applications without repeating MFA for each

The key is balancing security with usability—overly burdensome MFA implementations encourage users to circumvent them, while well-designed implementations become routine habits with minimal disruption.

Device Loss Procedures

Since MFA often relies on possession of a phone or physical authenticator, organizations must establish clear recovery processes for when someone loses their MFA device or gets a new phone.

These procedures typically include a help desk or IT security team who can verify the user's identity through alternate means (in-person verification, manager confirmation, security questions) and then temporarily disable or re-enroll the user's MFA.

The recovery process itself must be secure to prevent attackers from using it to bypass MFA, but it also must be practical enough that legitimate device loss doesn't lock employees out indefinitely. Document these procedures clearly and communicate them during MFA training.

Training and Change Management

Successfully deploying MFA requires training users on several key areas:

• How it works
• Why it's necessary
• How to enroll their devices
• What to do if they lose their device or get new phone
• What to expect during the login process

Emphasize that MFA is protecting them and the organization, not just creating bureaucratic hurdles.

Change management is important because MFA represents a shift in how users access systems—give advance notice before rollout, provide clear instructions and support resources, and expect initial help desk volume to increase as users adjust to the new process. After a few weeks, MFA typically becomes routine and support requests decline.

Business Value Beyond Compliance

While you're implementing MFA to meet CPCSC requirements, recognize its broader value. MFA protects your own proprietary information, customer data, financial systems, and intellectual property using the same mechanisms that protect government Specified Information.

Many data breach incidents could have been prevented or contained if MFA had been in place. Cyber insurance carriers increasingly require MFA for coverage, and some offer premium discounts for organizations with robust MFA deployment.

Industry frameworks like SOC 2, ISO 27001, and PCI-DSS also increasingly expect or require MFA, making your CPCSC investment applicable to other compliance needs.

Learn More

Additional resources about MFA and CPCSC requirements:

• How to Meet Level 1 Cyber Security Certification Requirements - Canada.ca
• Protecting Specified Information (ITSP.10.171)

---