Multi-factor authentication (MFA) is a second protection layer if a password fails to protect you. The process provides a lot of security for not a lot of investment in time and money.
For that reason, it is a priority for the Australian Government Cybersecurity Strategy. All legal practices should use MFA routinely on as many critical accounts and systems as they can.
Staff should also use it to protect devices and networks that might be used to access client data, and your own email.
Where should MFA be applied?
For law practices, basic security requires mandatory MFA on all email, remote access, practice‑management/document management, file‑sharing, finance and user accounts.
Organisations moving away from passwords or using Single Sign On options should ensure that the new systems insist on MFA by default.
Even entry points you don’t use often – such as webmail supplied by your ISP or management dashboards for printers and modems – need second layers of protection if possible. Criminals are adept at finding forgotten entry points and exploiting them.
For small practices the QLS Guide to Multi-Factor Authentication is a useful starting point. Larger firms should ask IT staff to follow the ACSC’s Implementing Multi‑Factor Authentication guidance.
Where do mistakes get made?
Many firms think that MFA has been applied to their important systems but on closer examination find cracks in the armor.
- Password reset requests go to personal email. Staff may set a personal address as the recovery channel for work accounts. If that personal mailbox is compromised, attackers can reset passwords to practice systems. ACSC’s recovery guidance is explicit: treat recovery channels as a primary risk and protect them. Require MFA on personal email, check recovery details, and follow the step‑by‑step recovery advice if compromise is suspected1.
- Some accounts and systems missed out: Where your IT and hardware are not managed centrally it is possible for individual accounts and devices to be overlooked. Ensure that MFA status is checked regularly, along with backups and software updates.
- BYOD/mobile devices. Phones are increasingly used as MFA tools. If a new log in is detected, a push message goes to the phone / app on a phone and confirmation is required before log on proceeds. That doesn’t work if the phone is not protected too. Ensure that (1) phones require passwords or fingerprints to open and (2) SMS messages are not visible on the unlocked screen. (Qld firms have been hacked by MFA codes sent by SMS visible on a stolen phone)2.
- Talk through appropriate protections with IT support. Ensure the correct balance between security and efficiency is struck. For some accounts MFA might not be needed for every log on, for others it is essential.
- Don’t use SMS codes. These might still be offered by some MFA systems but it is too easy to divert phones. An App such as Google, Microsoft or Proton Authenticator is a safer way to receive codes.
- If you have to turn MFA off as a work-around, make sure turning it back on again is a priority.
Additional Resources
- Queensland Law Society — Multi‑Factor Authentication Guide
- Australian Signals Directorate cyber security information
- ACSC – Recovering a compromised email / online account; Hotline 1300 CYBER1: ↩︎
- ACSC ISM – Guidelines for Enterprise Mobility (web + PDF) ↩︎
Share this article