About Us | Contact Us
View Cart

The Importance of Proper Multi-Factor Authentication (MFA) in 2022

By Steven Jakubin | Monday, February 28, 2022 - Leave a Comment

Not just because it is becoming an issue of compliance. . .


We all know the plot of your typical heist movie – a group of robbers seeks out special bits of information, such as PIN numbers, keycards, FOBs, and even biometrics, all to relentlessly gain entry to a secured vault. These vaults use several pieces of privileged information to verify identity and is a form of multi-factor authentication (MFA) that, much like in the movies, can be implemented to business systems to improve authentication security.

Typical authentication verifies access to a system and its resources by requesting a predefined username and password.  However, password verification alone is a single point-of-failure that can allow an attacker to gain unauthorized access to the user’s account and any associated system(s) if compromised. Google reported in a 2019 consumer study that approximately 52% of users reuse passwords amongst various accounts. This means reused passwords can easily become an attack vector into organizations if a password were to be reused. In fact, Verizon reports in their 2019 annual Date Breach Investigation Report that ‘stolen credentials’ are what lead to ~60% of all data breaches that occurred that year – a trend seen in their previous yearly reports.

While the risk of password reuse can be lowered with solid password policy, a proper MFA implementation can downright prevent unauthorized account access if the password was compromised to begin with. This is done by requiring users to provide additional verification during logon, usually right after the entering the account name and password. Verification is usually done through a special piece of information token generated and sent to the user during the logon event and is what makes MFA one of the strongest technical controls that can be applied to account security.

Steven Jakubin
Data Security Analyst

An MFA implementation alone cannot guarantee account security, however in today’s threat environment, it’s close. MFA attacks are so low that Microsoft was unable to report statistics on these the past several years. Both Microsoft and Google even boldly claim ‘MFA can prevent 99.9% of automated attacks’ in 2019, and while several attack demonstrations have been proven to defeat MFA, these attacks are highly specialized often requiring the interception of MFA tokens sent between devices. Many modern MFA solutions combat this with end-to-end verification methods, special device trusts, and more to ensure the token is secure and reputable. In fact, MFA improves the trusts between systems and users and if isn’t already implemented is a great step towards ‘zero-trust’ architecture goals.

So, as we constantly strive to improve organizational security, consider 2022 as the year to start or improve MFA throughout your organization. See the following considerations when implementing MFA.

MFA Deployment Considerations

What accounts should have MFA enabled?

Identifying and prioritizing MFA on accounts with escalated privileges first, such as a domain administrator and/or VPN users, is highly recommended simply due to the level of access these kinds of accounts have. A tiered MFA deployment or deploying on certain groups over time such as single department, can allow your team to discover issues early and reduce the strain on internal IT support services when issues arise. Ensure users are notified well in advanced for an MFA upcoming MFA deployment.

Additional hardware required?

Implementing MFA with biometric verification or smart cards can require additional hardware not native in your current environment, which can increase initial deployment costs, however, limit the need for network-based authentication. This includes with push-based or hardware token authentication as MFA users will be required to own and maintain smartphones or special fob devices. Anything used for MFA authentication can get damaged, lost, or stolen which can restrict account access later. Many solutions support authentication bypass methods for these types of situations, so having operational procedures for special contingencies such as a lost device can reduce downtime.

Which MFA solution should our organization go with?

It depends! At the time of this article, Duo and Microsoft MFA solutions are a couple of the most popular. Duo can be configured to offer a good user-experience with simple push authorizations directly to the user’s phone, however, can be tricky to configure in non-cloud environment. Other solutions such as Authlite and Okta have also been proven as cost-effective MFA solutions for a variety of special use-cases. We recommend taking an inventory of what user accounts, systems, and the applications within the environment, and seeing if a solution can meet security goals within your organization. In certain situations, the use of multiple MFA solutions, i.e. Authlite & Yubikey on privileged administrator accounts and Microsoft MFA on all standard accounts, can be the best solution to a full MFA deployment.


Original article by Steven Jakubin. Data Security Analyst, infotex


same_strip_012513


 

Latest News
    Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex.  “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]
    about artificial intelligence . . . And who will protect us from it . . .  Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]
    The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]
    Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker.  This isn’t science fiction, it’s an actual attack that has […]
    Unavailability Strikes Where it doesn’t matter anyway Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . So, I’m writing today’s article from a resort in the middle of Wisconsin.  I want to make sure I’m staying on top of my New Leaf, which is to […]
    . . . and the importance of segregated response. The latest edition of Executive Vice President, Michael Hartke’s article series! In 2007 when I first joined infotex, coming from small to medium sized business general IT support into the world of cybersecurity, the one thing that was very hard for me to internally rectify was […]
    How concerts can help us understand APTs . . . Especially if you use your imagination! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . My daughter reminded me of a concert Stacey and I attended way back in 2013, in Chicago.  It was one […]
    Mutiny! The Malicious Insider Threat Webinar Registration A Webinar-Video It is often awkward to bring up the one attack vector most of us have not addressed. The malicious insider threat. Even if we can flaunt all statistics and claim that the likelihood of an insider attack is low in our bank, the impact is still […]