The truth is, without multi-factor authentication (MFA), businesses are open to attacks if their employees fall for phishing scams or share passwords, which happens much more than you think (yes in your organisation too).
Compromised credentials are an extremely dangerous threat to any company. Why is that? Once the attacker was able to compromise a set of corporate credentials, he is now in possession of valid credentials to login which makes the attack extremely difficult to detect. It doesn’t matter if you have the best security tools in place, they will not detect any suspicious activity since it will look like a normal login activity. This is why multi-factor authentication (MFA) is so important. It is one of the most robust controls to fight against unauthorised access. Without it, all of the other security measures you have in place can be bypassed.
Unfortunately, despite the fact that this risk is very well known by organisations today, many still don’t take it seriously. Research showed that only 38% used MFA. What’s more worrying is that more recent research shows things haven’t really changed today.
Multi-factor Authentication is not what you think
1. MFA is for businesses of all sizes
Many companies think “my company is too small, I don’t need MFA”. That’s wrong. The data they want to protect is as sensitive as any large enterprise. Any company, small, medium or large, should be using MFA to protect their user accounts. It’s not necessarily complicated, costly or frustrating.
2. MFA should be used to protect all users, not just privileged users
Another assumption is “MFA is only for privileged users”. That’s wrong again. MFA is a security measure that should be used to protect all users in your company. Why? Well, even if they don’t have access to critical information, they still have access to a large amount of information that could be used inappropriately and could end up harming your business. Take a nurse for example, what happens if she decides to sell a celebrity patient’s medical data to a journalist?
There is another reason you should protect all of your users. Attackers usually don’t start with a privileged account. They usually start with an “easy” target and once they get access to your network, they move laterally to find valuable data.
3. MFA is not perfect but it’s close
Perfect doesn’t exist, especially in information security. However, MFA is close. Some recent attacks showed that MFA could be bypassed. The FBI issued a warning about those attacks. Two main authenticator vulnerabilities were found: ‘Channel Jacking’, involving taking over the communication channel that is used for the authenticator and ‘Real-Time Phishing’, using a machine-in-the-middle that intercepts and replays authentication messages. These attacks necessitate a lot of money and efforts according to some experts. Usually, attackers who encounter MFA will switch to an easier target rather than spend time trying to bypass it. Some vulnerabilities can be avoided by choosing MFA authenticators that do not rely on SMS authentication. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines).
Despite the recent attacks, the FBI still says that MFA is highly effective.
4. MFA doesn’t have to be disruptive
Employee’s productivity is very important to any organisation and it’s always a challenge to try and balance security and productivity when implementing a new technology. Obviously, if you want the solution to be adopted easily and fast, you need as little disruption as possible. With MFA, you need flexibility and customisation. To do so, you can use MFA in conjunction with contextual controls to improve identity assurance. This means using environmental information to further verify all users’ identity without any disruption.
Compromised credentials can happen to everyone, whether you are a privileged or unprivileged user. This is why multi-factor authentication should be a part of every organisation’s security strategy, regardless of size
