Multi-Factor Authentication: What Law Firms Need To Understand

multi-factor authentication
Judge Dan Hinde

When you log on to a computer with your username and password, your password is a single factor used to authenticate you. Passwords can be guessed. If you re-use a password on another site and that website gets compromised, your hacked password will provide access to other sites. Requiring a second or even third factor to authenticate you is vital.


Multi-factor authentication (MFA) requires one factor, such as a password, to be combined with another factor such as a code texted to your phone, or biometrics, such as your fingerprint or retina scan to gain access to your account. Multiple factors are generally: (a) something you know (password), (b) something you have (phone), or (c) something you are (biometrics).



Long passwords are still important even if MFA is enabled. A 20-character password can sound daunting, but if you use a phrase, that can be very strong, yet easy to remember. Computers can attempt brute force to try to break into your account, which involves guessing. The longer your password, the harder it is to guess.

But even a strong password can be compromised.

The general theme with strong security is layers — having multiple ways to authenticate you is important. There’s no such thing as perfect security, but stronger security generally means having multiple layers that a hacker must get through.


One of the most important accounts to protect is your email. While someone hacking into your Office 365 and impersonating you to send out emails is bad, what is potentially more damaging is the impact on your other accounts. Password reset procedures are often built around the concept of emailing you a link to reset your password. If someone compromises your inbox, they might reset passwords on all your accounts!

With two-factor authentication (2FA) enabled on your email account, someone would generally need to have your phone to get into your email. With this extra step, your email is probably not going to get hacked.

If your phone is stolen, hopefully you have protection on your phone, such as a PIN and a fingerprint. Once again, it’s about layers. Be thoughtful about your risk management. Consider the likelihood of something happening and what the damage would be if it did. There is a higher likelihood of attacks launched over the internet because such an attack (like logging into your email) can be automated. Take protective steps accordingly.


Two factor authentication can be accomplished by a text message to your phone. This is a solid approach. However, be aware there are ways that this can be spoofed. When someone fraudulently sends you an SMS text message that tries to get you to do something, that’s been called smishing.


Computer Forensics

For an even more secure approach, you can use an app on your phone or a physical key like YubiKey, which is a USB key you can keep on your key chain along with your house and car keys. Receiving a text message on your phone is easy and is reasonably secure but taking it to the next step with an actual app on the phone or physical device makes it even stronger.

There are free and paid options for phone applications. Google Authenticator is probably the most popular free app. Microsoft’s authenticator is another free app.


If you think you’re not a target because your firm is small, guess again. It is far more common for small firms to be breached than larger ones simply because there are more small firms out there. If you are using Office 365 or Google G Suite, require 2FA for your employees to log in. You will not generally have to go through a two-factor process every time you access your account. However, if you are logging in for the first time from a different device, expect a second factor to be required.

You want your systems to be sure that it is really you and not a hacker pretending to be you. MFA will require extra validation here and there, but the impact should be small. It is not going to change the way you or your employees live. If you get hacked, however, your life can get turned upside down. It’s not a risk worth taking.


Lastly, you are never supposed to reuse a password between multiple sites. You may ask yourself, I’m a mere mortal, how can I possibly remember a different password for every site? Don’t try to remember all these passwords. Use a password manager to remember your different passwords at different sites. There are many to choose from. Have a strong, long password to protect your password manager and, of course, require MFA.

A good password manager and MFA to secure it goes a long way to protect your accounts. Dave Kinsey

Dave Kinsey

Dave Kinsey is the president and owner of Total Networks, the technology adviser to Arizona’s law firms. Mr. Kinsey is on the technology committee for the State Bar of Arizona, has presented at several CLE seminars on the topics of technology security and data protection, and his team is the first and only Arizona IT company to earn the CompTIA Security Trustmark, certifying that Total Networks meets or exceeds security best practices.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts