Many IT departments know that enabling multi-factor authentication (MFA) across their access points can increase organizational security.
However, the nature of MFA can be tedious for both end users and admins, leaving some to wonder how effective MFA truly is. Here, we’ll go over what kinds of attacks MFA defends against, how effectively it prevents those attacks, and how admins can use MFA to strengthen their organization’s security posture.
What is Multi-Factor Authentication?
Multi-factor authentication (MFA) works by combining “something you know” (i.e., your credentials) with “something you have” (i.e., a time-based one-time password, or TOTP, generated by an authenticator app often downloaded on your phone) to gain access to IT resources.
At login, users present the two factors, and if they are correct they will be granted entry. MFA is proven to be more effective than just using credentials because, while it’s comparatively easy to obtain user credentials via phishing attempts or credential stuffing, bad actors cannot obtain a user’s second factor for authentication without going to greater lengths, which they often will not do. Instead, they’ll likely move on to the next potential victim.
MFA, sometimes called two-factor authentication (2FA), is an integral component of zero trust security and asserts that users should use more than just their credentials to gain access to sensitive resources. This form of security has been proven to protect accounts against bad actors. In fact, in a presentation at the recent RSA Security Conference, Microsoft’s director of identity security, Alex Weinert, said 1.2 million Microsoft accounts were compromised in January 2020 alone. Of those compromised accounts, 99.9% were not using MFA.
What Attacks Will MFA Prevent?
MFA primarily prevents any attack that results from a bad actor obtaining or guessing the user’s credentials. This can include a wide range of cyberattacks, though most commonly this encompasses phishing/spear phishing attacks, automated credential stuffing, and guessing attacks. In fact, MFA prevents more than 96% of bulk phishing attempts and more than 76% of targeted attacks, according to Google.
As of now, MFA also effectively blocks bot attacks because there isn’t a known bot that can intercept authentication codes generated by an application. Manual attempts are more likely to bypass the MFA prompt, but the means of bypassing most MFA prompts often require either more sophisticated techniques or brute force (such as obtaining a phone, etc.) that the majority of bad actors cannot accomplish.
What are the Weaknesses of MFA?
Different types of MFA exist, and each offers varying levels of maintenance and security in regard to users and their systems. Most of these are highly secure, with the exception of SMS one-time passwords (OTPs).
SMS OTPs are commonly quantified as weaker than other forms of MFA because bad actors can intercept them by impersonating the targeted user and calling their service provider to order another SIM card. By doing so, they can have the SIM card sent to their own address or PO box instead of the user’s and then use it to intercept the SMS OTP.
More broadly, all MFA types are not impenetrable. TOTP tokens and SMS OTPs can be obtained by a bad actor willing to infiltrate an organization by brute force, so organizations should use measures in addition to MFA to secure resources. By enabling full disk encryption, adding SSH keys where possible, configuring remote wiping, and disabling USB ports, IT teams can ensure that they’re taking necessary precautions to prevent cyberattacks.
Perhaps the main weakness of MFA is the general inconvenience it presents to users. Most would prefer needing only credentials to authenticate to their IT resources, as it’s more efficient than needing to retrieve a TOTP from a separate authenticator app.
However, the security MFA provides far outweighs the inconvenience. According to a recent study, users who enable multi-factor authentication on their endpoints end up blocking 99.9% of automated attacks. Requiring MFA ensures that organizations can safeguard their users, applications, networks, systems, and more from frequent cyberattacks.
How to Enforce MFA
Multi-factor authentication’s weaknesses are far overshadowed by its effectiveness in blocking a large number of attacks. For organizations looking to require MFA on all access points, they may find great value in JumpCloud® Directory-as-a-Service® (DaaS).
DaaS offers admins built-in MFA that applies to nearly all IT resources, such as VPNs, applications, and systems –– including macOS®, Linux®, and Windows®. And with included tools like full disk encryption, self-service password reset on users’ machines, remote wipe, USB lock, and more, admins can effectively safeguard their systems from more evolved cyberthreats such as phishing attempts and brute force attacks. In fact, JumpCloud’s cloud directory service can prevent phishing attacks by having password resets done on the machine rather than a website that can easily confuse end users into providing their credentials. Combined with MFA, JumpCloud’s anti-phishing approach can help ensure identities are kept secure.