This post has been updated for 2021.
Passwords are the most common authentication tool used by enterprises, yet they are notoriously insecure and easily hackable. But even when passwords are secure, it’s not enough. Recently, hackers leaked 87,000 Fortinet VPN passwords, mostly from companies who hadn’t yet patched a two-year-old vulnerability.
At this point, multi-factor authentication (MFA) has permeated most applications, becoming a minimum safeguard against attacks. End users tend to be careless with passwords, frequently reusing or sharing their passwords.
- What is multi-factor authentication?
- Rise of multi-factor authentication
- MFA can be hacked
- MFA use cases and considerations
- Where to look when MFA isn’t enough
- Zero trust network access
- Passwordless access
- Privileged access management
- Identity access management
In fact, 62 percent of professionals admitted to sharing passwords over text messages or email and 46 percent said their company shares passwords for accounts used by multiple people. When this is happening, it’s clear that organizations either aren’t using MFA or are finding ways around it.
Clearly, MFA can’t work for everything. Let’s take a look at some best practices for using multi-factor authentication and where you should look when it doesn’t fit the bill.
What is multi-factor authentication?
Multi-factor authentication, or MFA, is simply an umbrella term for verifying the identity of end-users with a password and at least one other form of authentication. Initially, security vendors only offered two-factor authentication. Two-factor authentication, called dual authentication or 2FA, added another level to a User ID and password. Since then, security vendors have introduced new methods for authentication, which can be layered to create a multi-factor authentication solution.
MFA incorporates at least two of three authentication methods, according to the PCI Security Standards Council:
- Something you know
- Something you have
- Something you are
An MFA security solution may also incorporate additional factors, such as geolocation data or a time component. Many services now send alerts or require additional authentication when you log into their service from a new device.
There are several options for achieving each method of authentication. Typically, “something you know” is simply a user ID and password, but MFA solutions can also require the end-user to submit a PIN or the answer to a secret challenge question, like the ones you often have to answer on your bank’s website.
“Something you have” traditionally required the use of tokens. A token acts as an electronic cryptographic key that unlocks the device or application, usually with an encrypted password or biometric data. Tokens are generally referred to as either “connected” or “disconnected.” Connected tokens are stored on hardware that holds a cryptographic certificate, key, or biometric data, such as an SD card on a phone, a USB token, tokens kept on smart cards, or an employee key fob. Disconnected tokens are generally only good for one use and can be delivered via RFID or Bluetooth, or users can manually enter them into the computer.
As websites have adopted MFA, “something you have” has expanded to mean the end user’s credit card or mobile phone, called mobile authentication. In mobile authentication, a one-time password (OTP) or PIN is generated and sent to the end user’s smartphone via text, although an added layer of security can be added by using an OTP app, a certificate, or a key stored on the phone. Mobile authentication is often seen as a cheaper and easier alternative to biometric authentication.
Identification by “something you are,” or biometric authentication, relies on either physical or behavioral characteristics. Physical characteristics include retina scans, iris scans, facial recognition, fingerprints, voice recognition, hand geometry, earlobe geometric, or hand vein patterns. Behavioral characteristics include keystroke dynamics, such as measuring the way a user types, how fast, or the amount of pause on a given key. While biometrics can require special equipment, some solutions simply leverage the sensors in smartphones.
Biometrics offers the most secure method of authentication, but there are problems. For example, some people’s fingers don’t always have enough minutiae points for the scanner to pick up, as is the case with workers who do heavy manual work with their hands, burn victims, or people with skin diseases. Attackers can also trick scanners simply by capturing the fingerprint. For more on the pros and cons of biometric solutions, as well as a list of select Biometric vendors, see Biometric Authentication: How It Works.
Passwords alone won’t cut it
The unfortunate reality is that many people are lazy with their passwords, and even when they aren’t, brute force attacks can crack many passwords in less than a day. And social engineering can crack even more considering how many people include the names of their families and birthdays. MFA is the bare minimum for securing networks and applications because passwords alone can be too easily hacked.
The most common form of MFA is two-factor identification, sometimes referred to as dual authentication, two-step verification, or 2FA. Two-factor authentication combines a user ID, password, and at least one of two other methods for ensuring user identification. A common approach to 2FA is to require a one-time password (OTP) sent via SMS to a cell phone or a credit card number.
Twitter, Google, Microsoft, Apple, Facebook, and Amazon all use SMS to support two-factor authentication, although they can also use push notifications on smartphones. Two-factor authentication is also being deployed for mobile security and by Internet of Things companies such as Nest to secure IoT devices.
Rise of multi-factor authentication
In recent years, more companies have turned to multi-factor authentication solutions to address their security and compliance concerns. A 2021 survey found that approximately 49 percent of businesses adopted MFA in reaction to the COVID-19 pandemic. With more employees working from home, their data was more at risk from weaker networks and personal devices.
Stratistics MRC estimates that the global multi-factor authentication market will reach $13.59 billion by 2022, spurred largely by growth in e-commerce, the increase in online transactions, network security threats, and legislative compliance. Banking, financial services, and insurance industries constitute the largest share of adopters, with North America leading adoption, according to Orbis Research.
But despite early adoption rates, businesses are neglecting their cloud environments when it comes to MFA. According to Alexander Weinert, Director of Identity Security at Microsoft, only 11 percent of enterprise cloud users have adopted MFA. And because attackers look for the path of least resistance, that leaves the other 89 percent extremely vulnerable.
MFA can be hacked
While MFA can prevent a lot of attacks, motivated bad actors aren’t going to let one extra layer of protection stop them. And it’s not hard for them to use social engineering to get around it, or else phishing attacks wouldn’t be so popular.
One way attackers have started to circumvent MFA is by calling victims and convincing them that someone has hacked their account. They tell the person they’re going to initiate a password reset on their end. When the victim receives a one-time password, they read that code to the attacker. Then, the attacker has everything they need to take over the account for good.
Alternatively, attackers can intercept text messages or emails meant to deliver your one-time passcodes, preventing you from knowing that anything was amiss. Through channel-jacking, attackers can use a software-defined radio to route incoming messages away from the intended recipient and into their own devices.
MFA use cases and considerations
MFA isn’t just for e-commerce sites or employees. Before adopting a multi-factor authentication solution, consider these other scenarios and issues:
In 2017, New York State introduced new financial regulations requiring banks, insurance companies, and other financial services companies to establish and maintain cyber security programs that meet specific standards — including examining security at third-party vendors. Yet 32 percent of IT professionals don’t evaluate third-party vendors for security, according to a NAVEX Global survey. Don’t be one of them.
Security experts advise IT professionals to protect the entire information pipeline since even fourth-party vendors can present a security risk. One way to mitigate the risk is to require that vendors include multiple authentication methods. Be sure to outline the restrictive use of access and any repercussions for unauthorized or negligent behavior.
More employees are accessing enterprise applications and data remotely, which poses a security risk even with VPNs. Be sure to include VPNs when evaluating MFA solutions. However, as we’ve seen, MFA can be hacked, so employ other security methods with your VPN security in addition to MFA, like zero trust and least privileged access.
MFA for services
VPNs and traditional log-ins aren’t the only way hackers can access corporate data, of course. That’s why companies should consider two-factor authentication for services, advised Veracode co-founder and CTO Chris Wysopal. “If you’ve implemented two-factor authentication for remote access to your company, why aren’t you implementing two-factor authentication with all the services you’re using that also have access to your company’s data?” Wysopal told eSecurity Planet. “Try to keep parity with what you already thought was a good idea to do to yourself.”
We saw the effect third parties can have on data vulnerabilities with the SolarWinds breach in 2020. By accessing the SolarWinds network, the attackers gained a backdoor into thousands of networks using the service. MFA could potentially have added a layer of protection between the end-users and the threat.
Independence of the authentication
If security is a top concern, then look for a solution that offers out-of-band (OOB) authentication. Out-of-band authentication means that the authentication methods are delivered through a different network or channel, which adds another layer to the security. That might be as complex as requiring a physical token or as simple as sending a one-time password (OTP) via text to a smartphone.
One caveat: if the smartphone is also used to submit the OTP, you’ve lost the benefits of out-of-band, since the network is the same. That’s not a small issue, as many employees now use mobile devices to access corporate data, and smartphones can be lost or stolen fairly easily.
Where to look when MFA isn’t enough
As threats adapt, so too do security tools. While MFA can do a lot to protect your network, it won’t be enough for every scenario. MFA can’t protect servers, for example, because they contain too much and have too many entry points. Unlike applications that generally have just one way in (the login screen), servers might have different points of access for admins than they do users or applications.
Additionally, MFA doesn’t work when you’re looking at spoofed login pages, CEO fraud, or links to malware. Because authentication doesn’t matter in these scenarios, it won’t prevent an attacker from stealing your information or infecting your device with malware. Instead, you need other security measures in place to block these actions.
So, what should you have in place when MFA fails?
Zero trust network access
Employees shouldn’t be able to put in a password and access every piece of information on a network. They should only get access to the data and systems they need, and even with that, they’ll need to verify their identity before gaining entry. Zero trust network access (ZTNA) guards both the interior and exterior of a business’s network and keeps sensitive data more secure.
Zero trust protects against internal attacks that MFA can’t stop. Unfortunately, internal employees sometimes seek to use company data for their own gain, and they don’t need to get around MFA because they set it up. But, if ZTNA is in place, the employee won’t be able to access as much data, and they won’t be able to do as much damage. Additionally, abnormal behaviors, like accessing data late at night or from a different location, might automatically lock their account until IT investigates – a feature that’s also useful for stopping account takeovers.
Clearly, passwords aren’t as secure as we’d like, but what’s the alternative? Passwordless authentication works with information that the person has, like biometrics, or something they possess instead of something they know, as it is with password authentication. Key fobs are an example of passwordless access.
It’s easier for individuals to use, meaning they don’t resort to shadow IT practices, and the IT department gets greater visibility into each person’s activity. It can also lower operating costs by reducing the amount of helpdesk resources you spend helping users reset their passwords and the number of successful phishing attempts.
Privileged access management
Privileged access management (PAM) is similar to zero trust in that each employee only gets access to what they need to do their job, but its focus is only on the sensitive data, rather than the network as a whole. Each employee has a different account level depending on how IT expects them to interact with the data and systems the company uses. For example, while an accountant might have privileged access to financial information, they likely wouldn’t get customer records.
PAM limits the number of internal users that have access to sensitive information, so IT can better control its use. Additionally, it applies to both people and applications, helping to protect against third-party vulnerabilities. While PAM may include MFA as a part of authentication, it goes further in providing greater account control and security.
Identity access management
Identity access management (IAM), like PAM, ensures that employees only get access to the information and systems they need, but unlike PAM, it’s not only concerned with sensitive data. Instead, it encompasses all of the systems on the network and provides an audit trail for compliance purposes. IAM provides a single management console that IT can use to monitor the activity on each account and investigate strange behaviors.
IAM, too, often includes MFA, but it doesn’t rely solely on authentication to protect your data. Instead, it uses MFA as the first line of defense and then implements other features to protect beyond the perimeter.
Overall, MFA is a great tool to incorporate into your cybersecurity infrastructure, but it can’t be the only one. It will stop a lot of attacks, especially by bad actors looking for the path of least resistance, but you’ll need other security measures in place to stop motivated attackers. Zero trust, passwordless access, IAM, and PAM are all good options to consider.