Truly popularized in the mid-2000s, multi-factor authentication (MFA) has been security practitioners’ go-to response whenever someone asks, “what can I be doing right now to protect my data and accounts?” It’s often listed as a default best practice to defend against many cyber attacks and attack vectors such as phishing, business email compromise (BEC), keystroke logging, brute force, and certain types of man-in-the-middle (MiTM) attacks.
Recent events, however, have called into question MFA’s capabilities to mitigate against particular account hacking techniques. For instance, one news story reported that BEC hackers could bypass the Microsoft 365 MFA system to access a business executive’s account.
By spoofing a login page linked to a DocuSign phishing email, they convinced the victim to submit their login credentials, then had them complete what they thought was a typical MFA protocol. Once the user underwent the verification process using their authenticator application, the Microsoft service identified the login as a successful MFA.
The issue is because the attackers used the spoofed page as a proxy; it activated the session token and granted them access as well by just using the username and password — letting them into the account to add a new authenticator app and generate their own MFA codes.
This technique has recently made its rounds and now calls into question: Is MFA still a viable solution?
Understanding MFA’s True Definition
Before diving into the details of MFA, it’s essential to understand the true definition of the concept. MFA is the process of authorizing an identity by combining more than one “factor” to verify a user into an account or system. A factor can be one of three types:
- Knowledge: Something a user knows, such as a password or personal identification number (PIN).
- Possession: Something a user owns or has, such as a YubiKey device, smart card, or hardware token.
- Inherence: Something a user is through biometrics scans on fingerprints or faces.
The key in the definition is “multi-factor” in that it must be two (or more) different factors. Many often confuse MFA with two-step verification (2FV) which involves using two of the same factors, such as a password with a one-time security question (both something the user knows) to log into an application.
MFA and Passwordless Authentication
In today’s security world, MFA is often grouped with or compared to the idea of passwordless authentication. The passwordless method verifies a user without any knowledge-based factor such as a password, PIN, or security question but strictly uses biometrics and hardware.
Major technology enterprises such as Apple, Google, and Microsoft have incorporated passwordless authentication into their organizational security protocols and have entirely committed to removing passwords from their platforms. For instance, when logging into a mobile bank account, your smartphone would be the “something a user has,” and they would use an MFA verification such as a one-time PIN or fingerprint to log in.
Much of this paradigm shift is due to the critical vulnerability of passwords — user negligence. Human error is the root cause of 82% of all cyber attacks, most of which involve constructing weak passwords, falling for credential harvesting phishing scams, or not properly securing password credentials. In fact, one of the top arguments promoting passwordless for both initial logins and MFA protocols is the security element.
However, passwordless challenges are the costs of implementation and user adoption. Putting the infrastructure in place and investing in tons of hardware like Yubikeys or other Fast Identity Online (FIDO) keys is expensive. Also, note that users have been comfortable with traditional usernames and passwords for years. Changing a biometric or hardware-based authentication system would require new training before fully adopting it.
Best Practices for Multi-Factor Authentication
The ultimate consensus is that MFA is still an extremely effective tool against breaches and cyber-attacks if appropriately utilized. That said, here are a few best practices to follow when using MFA:
- Prioritize User Experience: The security of MFA is only valuable if the users actually use the tool. When they become frustrated with the process, it could prompt them to avoid using MFA altogether. Therefore, anything you can do to make it easier for employees to access their accounts, such as training or keeping the MFA protocol simple, should be considered.
- Evaluate Your Unique Needs: Different businesses will have particular MFA needs regarding the tools and factors they should use. For instance, insurance agencies that tend to have many sales reps on the road would be better served with a simple biometric fingerprint to access their phone and mobile CRM. Alternatively, a software development firm with programmers constantly at their computers may find FIDO keys more applicable as an MFA solution.
- Invest in Top-of-the-Line Solutions: It’s important to consider the vendor’s quality before purchasing or activating an MFA control as they invest a lot of resources in preventing vulnerabilities while enhancing the usability of their products. YubiKeys by Yubico, for example, are considered one of the best MFA hardware solutions on the market.
- Incorporate Contextual Factors: In addition to verifying a user with another factor, you can set contextual factors such as location, the time duration between logins, or device Internet Protocol (IP) address. So, for instance, if someone were to log into an account and complete their MFA requirement, the system would review to ensure the device falls within the correct geographic area before granting access.
- Take a Passwordless Route: As we mentioned, take advantage of passwordless authentication, which mitigates certain vulnerabilities and offers users a better experience by not having to manage many passwords.
Supplementing MFA for Enhanced Security and Experience
To secure your technology assets, customer data, and organizational resources, MFA and its respective best practices should also be supplemented with additional solutions. For example, combining MFA with single-sign-on (SSO) tools will let users securely access numerous resources in just one login attempt. This enhances system security and gives users a better experience with streamlined access to their applications and data.
You also want to ensure you’re using sophisticated access, identity, and machine management systems to track all your devices, users, and login activity. These platforms allow system administrators to require MFA for specific network resources and can set contextual factors like location or needing a new login after three session hours.
Incorporate Robust MFA Solutions with Ascension Global Technology
MFA remains a top-tier control to prevent account-related breaches and cut off attack vectors when used properly. Contact us today to speak to an expert and learn about our ecosystem of software providers that can offer an array of MFA solutions for your organization. Also, be sure to check out our blog for industry updates, cybersecurity news, and valuable insights that can help your business improve its program and security posture.