You Are the Weakest Link: Why Admin MFA Is Essential

The Low-Effort, High-Impact Solution to Exponentially Better Security

Written by Kate Lake on February 16, 2024

Share This Article

Cybersecurity attacks are continuously on the rise, which can make security feel like a losing battle. Most IT professionals feel the pressure: 56% of IT professionals working at small or medium-sized enterprises (SMEs) are more concerned about their organization’s security now than they were six months ago (see JumpCloud’s 2024 study). In fact, SME IT professionals named security as their top challenge in 2024, 2023, and 2022

These concerns can prompt us to reflect on our own environments. How much can we really protect? The variety, speed, and severity of attacks can make it feel like security falls outside of our control. 

While there will always be factors that we can’t control, there are quite a few things that we can. And some of the biggest security impacts you can make come from small actions. 

What Can You Control? 

Fortunately, there are many areas of security that you can control. The most important ones are the core elements of your IT infrastructure: identities, access, and devices. 

Recent data shows that IT professionals are maximizing their influence on the security of these elements:

  • The percentage of SME IT professionals that centrally manage employee access to all accounts increased from 31% in April of 2023 to 51% in January of 2024. 
  • Two-thirds of organizations (66%) now require the use of biometrics for employee authentication (up from 55% in April 2023).
  • Single sign-on (SSO) adoption remains steady at an 87% adoption rate among SMEs. Over a third (35%) have deployed it across the entire organization (versus 26% in April 2023).
  • SME IT professionals strongly prefer centralized IT management. Centralizing IT infrastructure can improve security by cutting out brittle integrations, undersecured vendors, and telemetry blind spots. It also reduces friction and improves holistic management by granting users managed access to more of (ideally, all) the tools they need to do their work. 

While centralized environments improve security, they also carry a greater burden of security checks, particularly for admins. In a centralized environment, admin accounts are the keys to the kingdom. This makes them prime targets for cyberattackers. Without the right security, admin accounts are critical weak points in your defenses.

Where Are Your Gaps?

Although the IT industry is making significant strides in securing authentication and access, there are still some gaps. Recent data suggests that admins may not be sufficiently securing their own accounts. A large majority (83%) of IT professionals said that they required MFA across all employees’ accounts. Yet, 83% also said that they allow access to at least some resources via password-only authentication. 

One interpretation of this data is that IT admins are leaving their own accounts underprotected, focusing their security efforts (and time) on protecting the less-savvy average user instead. This may be because admins assume they know enough to create strong passwords and keep their accounts secure. However, no password on its own is as strong as a password protected by MFA

The Pitfalls of the Password

Passwords have long been criticized for being insecure (case in point: check out this critique on password security from 1995). Surprisingly, however, 68.6% of SME IT professionals believe that password-only authentication provides adequate protection for their organization’s accounts. 

But passwords present too many vulnerabilities to be secure on their own. The following are some of the most common security pitfalls of password-only authentication: 

  • They’re hard to remember. The average user has too many passwords to remember on their own. This makes them likely to use the same password in multiple places. In these cases, one password breach can compromise multiple accounts. 
  • Users choose easy-to-guess passwords. With so many passwords to keep track of, the average user will use easily guessable passwords instead of passwords that are long and complex, as recommended by password best practices. 
  • Users often store their passwords insecurely. Even organizations are guilty of this (we’ve all seen WiFi passwords written on the office whiteboard).
  • Password-only authentication doesn’t protect against phishing. If a user compromises their password as part of a phishing scam, there are no additional protections to prevent account compromise.

Admins may know better than to commit some of these errors. However, some password compromise vectors fall outside of their control. MFA protects against such uncertainties by layering authentication. No matter how long or complex, passwords provide one layer of authentication. MFA provides two.

Why Layering Admin Accounts with MFA Is Critical to Security 

When we assess the impact of a security implementation, we should first assess the risk that it mitigates, and how well it mitigates that risk. Risk assessments break down into two key factors: 

  1. Severity: How severe is the effect of a potential risk? 
  2. Likelihood: How likely is it to happen? 

Let’s apply this to MFA.

First, we’ll examine the severity of the potential risk that MFA mitigates: account compromise via password authentication. The consequences of a compromised account can be severe and far-reaching. Breaches often spread, whether through lateral movement, re-used credentials across accounts, or an attacker gaining access to an account with widespread privileged access. A single stolen password can enable a breach that damages a company’s valuation, reputation, and revenue. It can even drive a company out of business. 

Second, we’ll examine the likelihood of account compromise via password authentication. Unfortunately, password compromise is fairly likely for password-only authentication. Stolen credentials are the most common entry point in a data breach, and increasing sophistication in attack methods increase the odds of compromise. For example, a 2023 study tested humans against AI-written phishing emails. 78% of people opened the emails and 65% disclosed personal information, including passwords. 

In short, MFA protects against a risk that is both very likely and very severe. This makes it a critical security implementation. 

How Well Can MFA Mitigate the Risk? 

According to the U.S. National Cybersecurity & Infrastructure Security Agency (CISA), “Users who enable MFA are significantly less likely to get hacked.” Essentially, MFA adds a layer that a bad actor can only crack if they have possession of something like the user’s device, email account, or biometrics. This makes password compromise significantly less likely. 

In short, MFA is the best way to prevent hackers from using a compromised password. MFA is strongest when it requires you to provide a trifecta of secure factors:

  1. Something you KNOW, like a password.
  2. Something you HAVE, like a second factor.
  3. Something you ARE, like the combination of your identity and managed device (via device-based authentication, for example).

Why Focus on Admins? 

Simply put: admins hold privileged access to most or all of an organization’s accounts, making them a key target for attackers. Further, an attack on an admin’s account could have more dire consequences, as it could grant attackers access to the most protected and high-value accounts and information. 

These factors add to both the likelihood and severity of an attack on admin credentials. Thus, adding another layer of security to an admin’s password can exponentially improve the organization’s security.

MFA: The Low Effort, High Impact Solution

In addition to having a high impact on security, implementing MFA on admin accounts can be fast, easy, and cost-effective. JumpCloud, for example, offers an admin-friendly and user-friendly means for implementing MFA everywhere. While many platforms require different components or add-ons to enact MFA across all your resources, JumpCloud allows you to implement MFA environment-wide, all from the cloud. And because we recognize the importance of admin account security, JumpCloud defaults to requiring MFA on admin accounts.

JumpCloud MFA is easy to set up, making it a truly low-effort way to enhance your organization’s security. Learn more about how JumpCloud enables MFA for admin accounts.

Kate Lake

Kate Lake is a Senior Content Writer at JumpCloud, where she writes about JumpCloud’s cloud directory platform and trends in IT, technology, and security. She holds a Bachelors in Linguistics from the University of Virginia and is driven by a lifelong passion for writing and learning. When she isn't writing for JumpCloud, Kate can be found traveling, exploring the outdoors, or quoting a sci-fi movie (often all at once).

Continue Learning with our Newsletter