The influential Data Breach Investigation Report (DBIR) of 2020 found that Phishing and stolen passwords continue to be top ways that cyber criminals are compromising identities to maliciously access networks and systems. Over 80 percent of hacking breaches involve brute force or the use of lost or stolen credentials and with the rise of websites like IntelligenceX, access to compromised accounts has never been easier.
The combination of username and password as the primary method of gaining access to critical systems is inherently flawed. However, a more secure method via Multi-Factor Authentication (MFA) is a technology that has been with us for over two decades, yet adoption rates within businesses is still relatively low. Emerging technologies like Fast IDentity Online (FIDO) security keys have even lower adoption rates even though they offer the gold standard of identity protection and do away with many of the common “…it’s a hassle!” objections that arise as part of a typical MFA deployment.
MFA is used to ensure that digital users are who they say they are by requiring that they provide at least two pieces of evidence to prove their identity. Each piece of evidence must come from a different category such as something they know, like a password, something they have such as a card and reader or something they are, which can include biometrics. The protection principle is simple. If one of the factors has been compromised by a hacker or unauthorised user, the chances of another factor also being compromised are low, so requiring multiple authentication factors provides a higher level of assurance about the user’s identity.
Looking at our client base alone, possibly 20 percent have adopted the practice – although there has been a boost recently during the COVID-19 pandemic and the work from home shift. Yet, MFA is still not as widely deployed as say malware protection - even though identity compromise is featured in more successful attacks than viruses or other malware.
The reasons why MFA is overlooked primarily stems from a lack of awareness of the benefits and the assumption that it’s going to be expensive and complex – based in part on the physical tokens popular in the 1990s – that were both. Yet, with Microsoft’s recent push to offer basic MFA (almost) for free as part of its enterprise licencing, MFA should be higher up the priority list for IT managers that are concerned about a whole host of security issues related to weak passwords and credential misuse.
It is worth keeping in mind that even though some MFA is better none - not all second factors (after a password) are made equal. One-Time Passcodes sent using text message (SMS) to the smartphone of a user attempting to sign-in to a digital service is a popular factor due to its simplicity and the ubiquity of mobile phones. However, this is not without some risk as telephone numbers can be “cloned” or stolen – but the number of reported cases can be counted on a couple of hands.
Levels of protection
Free solutions such as Microsoft’s MFA for Office365, also called Azure AD Multi-Factor Authentication, offers a basic set of core features including mobile app-based authentication factors but lacking geographic restrictions or alerting without upgrading to paid tiers.
Management is through the Office 365 or Azure AD portal, but the myriad of administrative pages and settings can prove challenging to manage if you have a more complex environment. However, it can dramatically improve security, with Microsoft and others citing up to 99.9% of identity-based attacks
being stopped by MFA, – and you have the time and patience to set it up – it will deliver a robust MFA solution that is seamless for users.
If you have a more challenging environment or critical applications that require stricter security controls, then there are a whole host of vendors such as Ping, Duo, RSA and half a dozen more that can offer polished configuration and management tools along with extended factors like FIDO security keys to keep out even the most sophisticated threat actor. To support their administrators these vendors provide detailed integration guides to common platforms such as Salesforce or Dropbox along with services like VPNs. These products also come with integrations and other security tools such as logging and SIEM which enable security teams to have a single pane of glass view of their user’s activities. As such, costs can vary from £5 to as much as £50 per user per month depending on what features, and integration is required.
However, it is worth noting that deploying MFA is not just a point and click type project. One of the biggest challenges is confirming that you start with high quality identity data. That means, ensuring that staff directories are current and accurate. Even though MFA will mitigate a significant portion of a business identity-based risk, administrators should be aware that most of the MFA onboarding processes use self-provisioning tools and if email accounts have been compromised or still being accessed by staff that have left; then the MFA processes could be compromised during this initial roll out.
As such, before embarking on any MFA project, it is wise to run a companywide audit. This should include identifying all staff details including a valid mobile phone number if you plan to use SMS based authentication. It is also crucial to map who has access to which applications so that MFA can be enabled in a more surgical fashion. For larger organisations, this likely means working with the human resources department to validate identities – which is more challenging now with widespread working from home due to the COVID-19 pandemic.
For larger organisations, setting up MFA from nothing is probably a multi-month project but once it’s up and running, most of the day-to-day management tasks are trivial due to the self-service nature of the interface. In terms of effectiveness, a 2019 paper from the SANS Institute estimated that 73 percent of passwords are duplicates and that most attacks are automated using lists of stolen email addresses and passwords. MFA, even the most basic sort, will effectively stop this kind of automated breach and make your organisations safer for only a modest investment.