Multifactor authentication is one of the most effective controls your organization can implement to prevent access. The truth is, without MFA, all of the other security measures you might have in place can be bypassed.
Poor login security is one of the most potentially dangerous threat to a business. A recent report found that 81% of hacking-related breaches leveraged either stolen or weak passwords. The challenge behind those attacks is that the hacker is in possession of stolen but valid credentials. Knowing that, why would any of your security tools detect anything suspicious? When someone logs in, your tools and solutions assume that the person who’s logging in is who they claim to be.
This threat is well known to businesses, but many still do not take password security seriously enough. According to a survey we conducted a few years ago, only 38% of organizations were using MFA. Unfortunately, we can see that things haven’t much changed today according to recent research.
Multifactor Authentication is perceived the wrong way
- Multifactor Authentication benefits large enterprises, not SMBs
That’s what many businesses think but they’re wrong. Any company, regardless of size, can benefit from using MFA and should be using it as part of their security strategy. Think about it, whether your organization is a small-to-medium sized business (SMB) or a large enterprise, the data you want to protect is as sensitive. You need to understand that MFA doesn’t have to be complicated, costly or frustrating!
- MFA is just for privileged users
Many businesses also think that MFA should be used only to protect privileged users and because they don’t have any, they believe they don’t need MFA. Well, they’re wrong again. Those businesses need to understand that even though their users don’t have access to critical data, they still have access to information that can harm the company if inappropriately used. For example, if a nurse decides to sell a celebrity’s patient to a journalist, you can see how this data is valuable and could hurt the company.
Additionally, the majority of cybercriminals don’t start with a privileged account, they usually start with any account that falls for phishing scams and move laterally within the network.
- MFA is not perfect
That is true, just like any other solution. However, MFA is close. Last month, the FBI issued a warning regarding recent attacks where hackers could bypass MFA. Two main authenticator vulnerabilities were found: ‘Channel Jacking’, involving taking over the communication channel that is used for the authenticator and ‘Real-Time Phishing’, using a machine-in-the-middle that intercepts and replays authentication messages. This type of attack requires high costs and effort according to experts. Usually, attackers who encounter MFA will prefer to switch to their next target rather than trying to circumvent this measure. To avoid certain vulnerabilities, you should start by choosing MFA authenticators that do not rely on SMS authentication. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines).
The FBI maintains that MFA is highly effective and that it’s a simple step to improve security.
- MFA is disruptive
Not necessarily. It’s always a challenge when you want to implement a new solution, you want as little disruption as possible. If the new technology is too disruptive, adoption will be very slow or even stopped. This is why flexibility is key when using MFA. The best way to avoid any disruption is to customize MFA to your own needs.
Stolen credentials can happen to anyone which is why MFA should be part of every organization’s security strategy, whether SMB or large enterprise.
François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues.