Compromised credentials are one of the most common attack vectors used by hackers to infiltrate an organization. Between all of the different apps, services, and devices that people now have to use both professionally and personally, this attack vector has become even more prevalent due to password reuse, which can become a fatal mistake for organizational security.
The unfortunate reality is 61% of people reuse passwords across both work and personal accounts. This means that a single data breach (often on a site that may have nothing to do with your organization) ends up exposing an attack vector everywhere those same credentials are being used. Therefore, organizations must have an additional layer of security in place, particularly for mission critical systems that, if compromised, could cause significant damage.
This is why the perception among IT professionals has developed that multi-factor authentication (MFA or often called 2FA) is more than a tool to consider implementing; MFA is now a tool that is non-negotiable. However, this sentiment is not always shared by executives or end users, who may perceive it as a burden or, at best, an inconvenience that they try to get around. This article highlights the benefits of multi-factor authentication by identifying the types of attacks that MFA can mitigate and how it can protect an organization in terms executives and end users can understand.
Why is MFA Considered an Essential Security Measure for Organizations?
The cybersecurity challenges faced by organizations are more complex than they have ever been before. Conventional security wisdom, still too often built around principles that focus on monitoring and securing the corporate network and building strong perimeter defenses around it, is no longer enough to adequately safeguard an organization’s critical information against mounting threats.
As remote work cements itself as the primary modus operandi for small and medium-sized businesses around the world, security programs will need to shift away from protecting networks, in which employees are inherently trusted once they authenticate, and instead adopt a methodology that trusts nothing and verifies everything. In short: Zero Trust Security and the Domainless Enterprise.
MFA has thus emerged as an essential security measure for organizations, as it provides an additional layer of protection at the end user level that requires them to validate who they are via a second factor (in combination with their password). To successfully bypass this defense, an attacker would need to compromise both the user credentials and the specific means to deliver the second factor for that access transaction; even if one authentication factor is compromised, the other doesn’t automatically follow.
Though not impossible depending on the type of factor used (see more below), this can seriously disrupt an attacker’s plan and dissuade them from spending additional time trying to break through.
What Type of Attacks Can MFA Help Mitigate?
Since multi-factor authentication or two-factor authentication sits inline of every access transaction, it can generally prevent an unauthorized attempt to authenticate against a particular system, be it a web application, device, network, file share, cloud server, and more. As such, it’s presence can mitigate the effectiveness of a variety of common attacks SMEs face regularly.
A phishing attack utilizes a message or email that appears to have been delivered from a trusted organization. Often, the call to action drives the intended victim to provide critical information about themselves or their organizations, which can many times lead to them directly sharing credentials. The stolen credentials are then used to access the targeted system.
Phishing attacks have seen a meteoric rise in recent years. A report from the FBI revealed that phishing was the most common cybercrime in 2020, with incidents nearly doubling from the previous year. This is especially effective with remote workers, who have had to adapt to an increase in digital communication and whose personal and professional online identities have become increasingly intertwined; with some much engagement and work happening online, it’s much easier for someone to let their guard down.
Multi-factor authentication helps to mitigate the fallout from a successful phishing attempt, as the attacker cannot successfully log into the system without the second factor. Since phishing attempts tend to be more automated and targeting “low hanging fruit,” MFA can make it too costly to compromise and thus not worth it for the attacker to pursue.
Another mitigating factor for phishing is to force your users to update their passwords on their device, and not on a website. With a core directory platform and the use of app on a device, this can help to eliminate the chance of being phished as well. Combined with MFA, a password change does not need to become an opportunity to be phished.
Spear phishing is a highly targeted form of phishing that’s focused on a small number of users, usually of higher perceived value. It’s meant to evade automated spam filters that may otherwise block generic phishing attempts. Spear phishing always includes an element of social engineering as well; these attacks are more sophisticated in order to retrieve higher-valued information.
These messages will appear more personal and will reference personal information about the subject (farmed from social media or other online profiles) to appear legitimate. Suddenly that urgent email from the CEO asking for your credentials to access a critical web application doesn’t seem as suspicious as it once had.
Like with phishing attempts, MFA can quickly shut down the momentum of an attacker who successfully spear-phished an unwitting victim. Though the attacker may still continue to pursue the victim, the efforts to get them to share or somehow complete the second factor while they are using the stolen credentials can raise flags quickly and prove very difficult to complete.
Man-in-the-middle attacks can also be highly targeted whereby attackers intercept a network connection to steal data-in-transit. This threat also includes session hijacking which is achieved by stealing the relevant token to compromise an active web session.
Even if the data is encrypted, the attacker could try to decrypt it by somehow tricking the user into installing a malicious certificate. They can then launch the second stage of the attack either through the stolen credentials or session token. MFA mitigates the long term effectiveness of this attack, since the attacker will not be able to leverage the stolen credentials again, and (depending upon the targeted system) may not be able to change the password or remove the MFA requirement without the second factor in hand.
This automated method of attack relies on stolen passwords to try all possible combinations against an account until the right one is found. It preys on users’ habit to use the same or similar passwords across different services, as well as to lean on simple, common or easy-to-guess passwords.
This method might be old but it’s still popular among hackers who operate automated attacks and can be highly effective. These attacks are run through bot networks, allowing attackers to compromise a large number of accounts with minimal manual intervention. MFA stops attacks like these in their tracks.
What Are the Weaknesses of MFA?
No security tool is ever 100% effective at stopping an attack; attackers have the luxury of time and resources to find a way in if they so choose. So, despite the fact that it significantly improves security compared to a single password environment, there are instances where MFA might fail.
For example, one-time passwords (OTPs) or login links sent via email or SMS are a common MFA implementation, and one prone to exploitation. If the end user is tricked into sharing or forwarding that code or link to the attacker, MFA will fail on account of user error. In some cases, attacks are so sophisticated that they actually present a means to enter a valid OTP as part of their spoofed web portal experience, which is immediately scooped up by the attacker and used to authenticate against the real system.
Similarly, malware running on the mobile device or workstation could also enable the attacker to intercept the MFA token. Attackers will use it and social engineering tactics to gain access to their victims’ email so they can facilitate the second factor themselves. It can even be used to block a legitimate user request while the credentials are captured for the attacker to launch an immediate replay. SIM card spoofing is another vulnerability that can limit the effectiveness of MFA on mobile devices when the MFA token is sent via a cellular network.
In general, factors that rely on communication technologies like SMS and email are more easily compromised than those that require a second, “physical” factor, be it an app on a mobile device, a hardware key plugged into a laptop or desktop, or a biometric signature. However, user error is also a scenario in which MFA can fail; if an employee receives a push notification-based MFA alert on their device as an attacker attempts to gain access and they approve the login mistakenly, they will inadvertently open the door for the attacker. Fortunately, modern push notification MFA solutions decrease the possibility of this scenario with thoughtful UX design and the option to deny a login request.
The Top 5 Reasons to Implement MFA as a Security Policy
It can be difficult to implement MFA despite the obvious benefits when stakeholders and end users perceive it as a blocker to their work rather than a means to protect them from a myriad of attacks. The following reasons can be used to make the argument for MFA in terms executives and employees can understand:
1. Protect the organization from weak employee passwords
It’s quite common for employees to not follow the company guidance on setting strong passwords, and IT admins may not have the means to enforce it through technical policies. And when enforced, automated password change requests can confuse and irritate end users, possibly locking them out of their devices or critical applications at inopportune times.
With MFA, there’s an additional layer of security that protects the organization from weak passwords and the habit of some employees to reuse passwords across different services and doesn’t force end users to update their passwords regularly. This argument can be used to convince executives that MFA is the “lesser of two evils” while more effectively protecting the organization as a whole.
2. Remain compliant with data protection regulations
Different states regulate data protection differently. For multinational companies, the added challenge is compliance with the data protection regulations in all countries that they operate in. MFA helps keep organizations in compliance with identity and access management regulations as it is a common requirement across all regulatory frameworks.
3. Simplify the login process for employees
Contrary to popular belief, MFA can actually help simplify the login process for employees, particularly if they’re required to use complex passwords for dozens of individual accounts. This is becoming more common as web applications incorporate complex password requirements into their native authentication measures.
In some cases passwords can be stored in a password vault that supports MFA and logs users into those accounts automatically. However, when MFA is paired with True Single Sign-On (SSO) to provide secure, simplified access to not just web applications, but virtually all IT resources, employees’ lives are made even easier as they only need to remember one set of credentials with one MFA requirement.
4. Prevent unmanaged devices from being used as attack vectors
The increasing reliance on remote work has organizations grappling with the challenge of unmanaged personal devices of employees being used for work. They often don’t have the same degree of protection that company-owned devices do, nor can these devices be monitored for abnormal or anomalous behavior. MFA helps prevent unmanaged devices being used as attack vectors as access to the organization’s data still requires passing secondary authentication. This can be especially powerful when paired with mobile push as the second factor, because it is a completely separate medium that likely will not be compromised even if the personal device has been.
Once again, this can be a compelling argument for executives as they make long term investments in supporting remote work for their employees.
5. Stop cascading failures in their tracks
When MFA is applied to as many devices, applications, and services as possible, it helps stop cascading failures before they get out of control. This helps limit the organization’s overall exposure in the event of a breach. When a compromised account is reused on a device or service that has MFA enabled, the attack ends there.
What is the Best Way to Implement Multi-Factor Authentication?
Passwords are simply insufficient in the modern era for securing access to work resources, which means MFA is now a critical part of identity management. As such, the most effective way to implement and manage MFA is actually directly through your core identity provider. While there are plenty of point solutions out there that offer MFA capabilities and can seem “easy” to adopt, the question many IT organizations are asking is whether adding another solution to manage it is really the best way to go about it, especially if its capabilities are limited to a subset of IT resources.
Before signing up for additional complexity and cost, consider the role MFA will be playing in your organization. Even if your roll out plan is phased, think about the entirety of your environment and the places where MFA can effectively protect end users and the organization as a whole, and investigate solutions that can commit to the entirety of your vision. Nothing hurts an MFA roll out more than one that requires end users to constantly change the factors (and means to create them).
JumpCloud Protect is a free MFA tool that offers both push notifications and time-based one-time passwords (TOTP) as secondary factors for login. It’s designed to provide a seamless MFA experience that doesn’t require you to manage multiple vendors, which can add friction, hike up costs, and jeopardize security. JumpCloud Protect is easy to implement and manage from the JumpCloud Directory Platform, facilitating smooth and secure rollouts.
If you’re new to JumpCloud and ready to get started with JumpCloud Protect, then evaluate JumpCloud today! JumpCloud Free grants admins 10 devices and 10 users free to help evaluate or use the entirety of the product. Once you’ve created your JumpCloud account, you’re also given 10 days of Premium 24×7 in-app chat support to help you with any questions or issues if they arise.