Multi-factor authentication (MFA) constitutes one of the most effective controls to prevent unauthorized access. Without MFA in place, all of the other security measures can be bypassed.
Weak login security is one of the most dangerous threat to an organization. According to a recent report, 81% of breaches leveraged stolen or weak passwords. This is a big challenge for IT teams because the attacker is using stolen but valid credentials. Keeping that in mind, why would your security tools detect anything unusual? When the hacker logs in, your security solutions consider that the person who’s logging in is who they say they are.
Despite this threat being well known to organizations, many still don’t take login security seriously enough. We conducted a survey a few years ago, the results showed only 38% of businesses were using MFA. It’s quite worrying to see that things haven’t much changed today according to recent research.
Multifactor Authentication is not what you think
1. MFA doesn’t benefit only large enterprises
Many businesses assume that MFA is only for large enterprise and not for small-to-medium sized businesses (SMB). Well, that’s not true. Any company, regardless of size, can benefit from MFA. If you think about it, the data you want to protect is as sensitive whether your organization is a small-to-medium sized business (SMB) or a large enterprise. MFA doesn’t have to be complicated, expensive or frustrating!
2. MFA is not just for privileged users
A majority of businesses also think that MFA should only be used for privileged users. This misconception leads to the second one which is that they don’t have any privileged users so they don’t need MFA. Well, that’s not true either. MFA should be used to protect all users. You need to understand that even though your users don’t have access to critical data, they still have access to a large amount of information that can possibly harm the company if inappropriately used. Let’s take an example: a nurse sells a celebrity’s patient to a newspaper, no need to explain how this data is valuable and could hurt the company.
Furthermore, most hackers start with an “easy” target, not with a privileged account. Once they get access to the network, the move laterally until they find valuable data.
3. MFA is not perfect but it’s close
No security solution is perfect, it doesn’t exist. However, MFA is close. A couple of weeks ago, the FBI issued a warning about recent attacks where MFA was bypassed. Two main authenticator vulnerabilities were found: ‘Channel Jacking’, involving taking over the communication channel that is used for the authenticator and ‘Real-Time Phishing’, using a machine-in-the-middle that intercepts and replays authentication messages. Those attacks require money and efforts according to experts. Most of the time, attackers who are faced with MFA prefer switching to their next target than trying to bypass this measure. To avoid some vulnerabilities, you can start by choosing MFA authenticators that do not use SMS authentication. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines).
The FBI still thinks that MFA is highly effective.
4. MFA doesn’t have to be disruptive
Disruption is always a challenge when implementing a new solution, you want it to be as little as possible. If the new technology is too disruptive, adoption will be slowed down or even stopped. This is why flexibility is key when using an MFA solution. The best way to avoid any disruption is to customize MFA to your own needs. This can be done by improving identity assurance with contextual controls. They use environment information to further verify all users’ identity without impeding employee’s productivity. It can include location, machine, time, session type and number of simultaneous sessions.
Stolen credentials can happen to anyone which is why MFA should be part of every organization’s security strategy, whether SMB or large enterprise. Discover how UserLock makes it easy to enable MFA and context access management on a Windows Active Directory environment.