This is the latest in our regular series of cyber updates from Trevor Bradfield, Cyber Security expert at Unity IT. In this edition, Trevor explains why Multi-Factor Authentication alone may no longer be enough to keep your clients’ data secure — and introduces a powerful extra layer of protection: Conditional Access.
Just when you thought it was safe…
Multi-Factor Authentication (MFA) has long been the go-to security measure to protect accounts from unauthorized access. But cybercriminals are getting smarter. Today, even MFA can be bypassed - especially through a growing threat called token theft. For bookkeepers managing sensitive financial data, understanding this risk is critical.
When you log in using MFA, your system generates a session token that keeps you authenticated. Hackers now use phishing and malware to steal these tokens after you log in - allowing them to impersonate you without needing your password or MFA code. It’s like a criminal copying your office key after you’ve unlocked the door.
For bookkeepers handling client records, payroll, and financial reports, this risk is severe. A single compromised session token can lead to unauthorized wire transfers, financial fraud, or a full data breach.
That’s where Conditional Access comes in. Conditional Access goes beyond simple MFA by analysing how and where access is requested. For example, it can block login attempts from unfamiliar locations, deny access from unmanaged devices, or require reauthentication if something looks suspicious - even after the MFA token is issued.
Conditional Access policies also allow you to enforce zero-trust principles: always verify, never trust. It ensures that every access attempt is evaluated in real time, protecting your session tokens even after login.
As a bookkeeper, your clients trust you with their most sensitive data. Relying solely on MFA is no longer enough. By implementing Conditional Access policies, you can significantly reduce the risk of token theft - and provide your clients with the level of protection they expect in today’s threat landscape.
So, when you next hear the golden phrase “MFA”, go one step further and include Conditional Access in the conversation.
The hackers won’t like it, and that’s what we like!
ICB has certified the Cyber Essentials Certification through Unity IT for all ICB members. Unity IT are an officially Accredited Certifying Body for Cyber Essentials.
