The vital role of multi-factor authentication in your security stack
Stop me if you have heard this story before. A threat actor sends a crafty phishing email. An unsuspecting end user clicks a hyperlink in the email and enters their username and password, unknowingly providing those credentials to the threat actor. The threat actor then uses these credentials to gain access to all sorts of personal or company sensitive information. While this may be a "tale as old as time", it’s still happening today. Literally every day. According to the latest Verizon Data Breach Report, stolen credentials is still the primary way attackers gain access to organizations.
The fact is passwords continue to be a target for threat actors and are becoming increasingly vulnerable to attack. Threat actors leverage techniques like phishing campaigns, brute force attacks, information-stealing malware, and social engineering to gain access to user credentials. End users often contribute to the problem by using easily guessed passwords or reusing the same passwords across multiple accounts making a threat actor’s job easier. The bottom line is putting your data protection hopes into a single username and password is a foolish endeavor when the need for more robust authentication controls is evident.
While there are multiple, layered solutions and strategies to strengthen authentication controls, one of the primary means is through the use of multi-factor authentication (MFA). Traditional single-factor authentication relies solely on a username and password. MFA adds an extra layer of security by requiring users to provide additional forms of authentication. There are many options MFA leverages including a one-time passcode, SMS text, security key, or biometric data. This approach significantly increases the complexity of compromising an account -- even if a threat actor has access to a username and password.
MFA was once reserved for use cases requiring the highest security such as gaining access to sensitive resources or for use with privileged accounts with high levels of access. Not anymore. MFA is of course still leveraged in these situations, but it is now also readily available across organizations and for most online services. It can be enabled for banking websites, healthcare systems, email, social media accounts, etc. In addition to the availability of MFA, we have also seen an increase in the ease of use and integration of it into our daily lives, making the adoption of it more seamless than ever.
So, the real question is does MFA work? Is it effective at reducing account compromise? Absolutely. According to Microsoft, MFA can block over 99.9 percent of account compromise attacks. That’s a staggering number. While that statistic can and has been debated, what can’t be is that it is effective. You may recall the Colonial Pipeline breach from 2021. The attack leveraged a VPN account that wasn’t protected with MFA. Having MFA in place for this account could have prevented this breach and the associated $4.4 million dollar ransom payment. Even with the effectiveness and additional complexity threat actors face with MFA, it is not completely deterring them. As with other security solutions, they continue to show their persistence and creativity to circumvent controls. As demonstrated in recent attacks, they have used a technique known as MFA fatigue, where attackers repeatedly push MFA authentication requests to the target in hopes of having them approve or confirm the request either accidentally or to just make the requests stop. So while MFA isn’t foolproof, it is an incredibly effective means of strengthening your authentication security.
The good news for the security community is MFA adoption continues to grow. Statistics show organizations are increasing the use of MFA. Primary factors driving the growth include securing remote workforce access, continued cloud adoption, increasing compliance requirements, and security best practices to name a few. Even the government has been involved with the Cybersecurity and Infrastructure Security Agency (CISA) making a push for the benefits and use of MFA.
Is MFA a perfect, infallible solution? Absolutely not. Is it a solution that should be a fundamental part of your security strategy? Without question. The reality is that threat actors will continue to target credentials. As such, MFA should be seen as a necessary tool to strengthen your security posture, providing a significant control against unauthorized access, and ultimately helping to safeguard your environment.
Gary Brickhouse is the CISO at GuidePoint Security, and is responsible for all aspects of the company’s information security program, inclusive of building and maintaining GuidePoint’s internal security architecture and control practices. Prior to his current role, Gary led the GRC Services consulting practice at GuidePoint where he was responsible for the development and delivery of GRC service offerings to support GuidePoint’s clients.