Multi-factor Authentication is not what you think

François Amigorena, CEO, IS Decisions

François Amigorena, CEO, IS DecisionsStolen passwords are extremely dangerous to an organization. Why is that? Well, detecting these attacks is a big challenge for IT teams because the hacker has stolen but valid credentials. Knowing all of this, why and how would your security tools notice anything uncommon? When the attacker logs in to your network, your security solutions believe that the person who’s logging in is exactly who they’re claiming to be.

This is where multi-factor authentication (MFA) comes into play. MFA constitutes one of the most powerful controls to prevent unauthorized and unwanted access. Without it, all of the other security measures you might have in place can be bypassed.

Businesses know about this huge risk but a larger majority still don’t take it seriously. A survey from a couple of years ago showed that only 38% of organizations were using MFA. What’s more worrying is that things haven’t changed today according to more recent research.

Organizations have the wrong idea about Multi-factor Authentication

1.     MFA is not only for large enterprises

A common misconception about MFA is to think that only large enterprises can benefit from it. Actually, any company, regardless of size, should use MFA. The data to protect is as sensitive whether you’re a small-to-medium sized business (SMB) or a large enterprise. MFA can adapt and doesn’t need to be complex, expensive or frustrating!  

2.     MFA is not only for privileged users

Another misconception is to think that MFA should only be used for privileged users. Unfortunately, this leads to a second false idea which is that they don’t need MFA because don’t have any privileged users. Let’s clarify all of that: MFA should be used to protect all users. It’s not because your users don’t have access to critical data, that they don’t have access to information that can harm the company if inappropriately used. For example, if you take a nurse selling a celebrity’s patient to a newspaper, you can see the value of the data and how it could hurt the company.

Apart from that, most attackers don’t start with a privileged account anyway. They usually start with an “easy” victim to get access to the network, and then move laterally until they find valuable data.

3.     MFA is not perfect but it’s pretty close

Perfect doesn’t exist, especially in information security. However, we can say that MFA is close. The FBI recently published a warning regarding attacks in which MFA was bypassed. Two main authenticator vulnerabilities were found: ‘Channel Jacking’, involving taking over the communication channel that is used for the authenticator ⁠and ‘Real-Time Phishing’, ⁠using a machine-in-the-middle that intercepts and replays authentication messages. According to experts, those attacks require money and efforts. In the majority of cases, cyber criminals who are faced with MFA will switch to their next target rather than try to bypass this measure. To avoid a number of vulnerabilities, you can choose MFA authenticators that do not use SMS authentication. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines).

Despite the recent attacks, the FBI still believes that MFA is highly effective.

4.     MFA is not necessarily disruptive

Employee’s productivity is very important to keep in mind when implementing a new solution. You want the disruption to be as little as possible to facilitate adoption. To allow that for MFA, you need flexibility. The best way to avoid disruption is to customize MFA to your organization’s needs. This can be done with contextual controls to improve identity assurance. We’re talking about using environment information to further verify all users’ identity without impeding users’ productivity.

Stolen passwords can happen to anyone, privileged and non-privileged users. This is the reason why MFA should be included in every organization’s security strategy, whether SMB or large enterprise.