Cyber threats are constantly evolving so relying on a password alone is no longer enough to protect sensitive compliance data. Multi-factor authentication (MFA) adds an essential extra layer of security, making it much harder for attackers to gain unauthorised access. For organisations managing regulatory obligations, a compliance platform with MFA is a critical safeguard.
Key takeaways:
- Multi-factor authentication (MFA) is essential to protecting personal data that you process within your compliance platform, especially if you work in high-risk industries like banking, insurance or healthcare.
- If a cybercriminal gains access to your compliance platform, they could access sensitive data like employment records and exploit your entire network.
Around 65% of the UK population is worried about being hacked, with cybercriminals often gaining access to accounts by cracking passwords. Even strong passwords are at risk due to techniques like credential stuffing or password spraying.
That's why businesses use multi-factor authentication (MFA), which is a 'second factor'of verification after your username and password combination. A common example is confirming your identity via a text message after inputting your password. Biometrics like face or fingerprint ID also provide another layer of protection.
Why is it important to have multi-factor authentication in your compliance platform?
MFA is used by businesses across industries, including banking, health, insurance, retail, and technology (such as Microsoft, Google, Amazon, and Meta), to protect people's personal data. Some organisations, like the NHS, have introduced an MFA policy for their digital systems to strengthen security, and the government advises using two different forms of authentication.
1. Protects personal data
It's essential to have MFA with your compliance platform because if a hacker gains entry, they can steal sensitive information about your employees, such as job roles, records and training certificates. It’s even more important if the compliance platform is integrated with other systems like HR software or Salesforce, because it will make it easier for hackers to infiltrate them and gain access to your entire network.
Back in 2023, cybercriminals got into transport company KNP's system by guessing an employee's password. They locked all internal systems and held them to ransom for a predicted £5m, causing the firm to eventually cease trading.
By implementing MFA into compliance platforms, businesses can mitigate risks even if employees do use easy-to-guess passwords, because it adds an extra defence against hackers.
Quick statResearch in our report, Careless Clicks: Could your team spot a cyber attack?, reveals that 55% of employees in the UK use easy-to-guess passwords at least some of the time, while 6% use them often. |
2. Compliance
While MFA is not a requirement under law, it’s strongly recommended by the Information Commissioner’s Office (ICO):
“You should implement two-factor or multifactor authentication wherever it is possible to do so - to take the most common example, a password and a one-time token generator. This will be more important where the personal data that can be accessed is of a sensitive nature, or could cause significant harm if it were compromised.”
By implementing MFA across platforms, you can demonstrate compliance with GDPR and show evidence that you are protecting personal data in the event of a breach.
Compliance frameworks like ISO 27001 also require you to enable secure authentication, which MFA can help to achieve. It’s stricter in the financial sector, with the Payment Card Industry Data Security Standard (PCI DSS) requiring MFA for all users who have access to debit/credit card data. This applies to both internal and external access.
3. Security best practices
The Zero Trust Model is a security strategy that revokes trust from all users, unless they have been verified through MFA. The key learning is "never trust, always verify", so no matter who logs in and from what device, they will need to be verified before they gain access to the account/system.
According to Microsoft, one of the main principles is to "Always authenticate and authorise based on all the data points". It then incorporates further steps like least privilege access, where users are given minimal access.
Even if you don't operate on a Zero Trust Model, the National Cyber Security Centre (NCSC) recommends businesses who use online services (such as the cloud) to implement MFA because a username/password isn’t enough to protect sensitive data.
Choosing a compliance platform with multi-factor authentication
The NCSC states you should choose the strongest type of MFA that’s available to you, so start by checking if the compliance platform offers MFA and what type.
Types of MFA
There are different types of MFA including one-time passwords (OTPs), authentication apps or codes through email/message. OTPs are commonly used but these may not be the best option for high-risk industries like banking or insurance, because cybercriminals deploy bots to intercept them or carry out sim swapping. Messaging chats like WhatsApp are more secure over SMS for sending OTPs because it's end-to-end encrypted.
The Financial Conduct Authority uses MFA, including OTPs for its systems, and recommends firms use the Salesforce Authenticator App to login. These can be downloaded on mobiles, so codes are produced in-app and not sent via SMS, reducing the opportunity for cybercriminals to steal the codes.
But you should also consider the user experience with authenticator apps – some users may not feel comfortable using or downloading them and may not want to switch between apps when attempting to login, especially if the codes are time sensitive.
Quick factIt’s best to evaluate the sensitivity of your personal data, for example, financial and health data may need stronger MFA, and then decide on the strongest option. |
The NCSC recommends FIDO2 authentication as one of the most secure methods of MFA. This is where users login without their password – instead they use biometrics, authentication apps or hardware security keys (YubiKey). When logging into a compliance platform, the user has a private key, while the compliance platform has a public key, and both are verified during the login step.
Cost vs benefit
It’s cost-effective to implement MFA with your compliance platform because a regulatory breach can lead to substantial fines. For example, Meta in Ireland was fined €91m because it mishandled social media users’ passwords.But some types of MFA may be more costly, for example, FIDO2 is expensive to implement because all users will need a device. In this case, an authentication app might be more cost effective and reduce risks associated with lost/stolen devices. You can make cost savings if your compliance platform has MFA integrated.
Which compliance platforms have multi-factor authentication?
Skillcast is a trusted compliance training platform that enables MFA to access client portals where personal data is stored and processed. This includes two-factor authentication, where users are sent a time-limited OTP through email to reduce the risk of this being intercepted. To access the account or management portal, you will need an OTP.
On the Skillcast platform, MFA is supported via email, and for organisations using Single Sign-On (SSO), their default MFA settings apply seamlessly across the system. This flexibility allows clients to align platform security with their wider IT policies, ensuring consistent protection without adding extra complexity. The compliance platform is also ISO 27001 accredited, so it follows the highest data security standards.
When evaluating compliance platforms, it’s important to consider not just whether MFA is offered, but also how it integrates with your organisation’s existing security framework.
Multi-factor Authentication FAQs
What is multi-factor authentication?
Multi-factor authentication is a security protocol that requires two or more steps of verification when attempting to gain access to an account/system. The first is typically a username/email combination and the second can be one-time passcodes, biometrics, verification codes through email or text, authentication apps or FIDO2. It’s more secure than relying on passwords alone because it requires a device or biometrics, which cybercriminals don't typically have access to.
What is the difference between MFA and 2FA?
Two-factor authentication (2FA) is a type of multi-factor authentication that uses a two-stage verification process. For example, you may be required to login using your password and username, and then a one-time passcode, which is sent through your email. MFA can include two, three or more factors of verification but the government recommends using the authentication method that is best suited to the specific needs and risks of what is being protected.
How to log in with MFA?
With Skillcast, once you've entered your username and password, you will be presented with a one-time passcode screen. Click 'Get OTP' and you will be sent a code to your registered email address. The code is time-limited, so enter it into the screen quickly and then click 'Validate OTP' to sign in.
Want to learn more about Information Security?
Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Cybersecurity Training Package offers a complete solution for your compliance programme. Courses in the libraries include:
- Information Security Training Course
- Cybersecurity Training Course
- Responsible Use of Artificial Intelligence Training Course
If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.
Further reading and resources
Written by: Emmeline de Chazal
Emmeline is an experienced digital editor and content marketing executive. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science and her skillset includes Search Engine Optimisation (SEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.
