About Us | Contact Us
View Cart

The Importance of Proper Multi-Factor Authentication (MFA) in 2022

By Steven Jakubin | Monday, February 28, 2022 - Leave a Comment

Not just because it is becoming an issue of compliance. . .


We all know the plot of your typical heist movie – a group of robbers seeks out special bits of information, such as PIN numbers, keycards, FOBs, and even biometrics, all to relentlessly gain entry to a secured vault. These vaults use several pieces of privileged information to verify identity and is a form of multi-factor authentication (MFA) that, much like in the movies, can be implemented to business systems to improve authentication security.

Typical authentication verifies access to a system and its resources by requesting a predefined username and password.  However, password verification alone is a single point-of-failure that can allow an attacker to gain unauthorized access to the user’s account and any associated system(s) if compromised. Google reported in a 2019 consumer study that approximately 52% of users reuse passwords amongst various accounts. This means reused passwords can easily become an attack vector into organizations if a password were to be reused. In fact, Verizon reports in their 2019 annual Date Breach Investigation Report that ‘stolen credentials’ are what lead to ~60% of all data breaches that occurred that year – a trend seen in their previous yearly reports.

While the risk of password reuse can be lowered with solid password policy, a proper MFA implementation can downright prevent unauthorized account access if the password was compromised to begin with. This is done by requiring users to provide additional verification during logon, usually right after the entering the account name and password. Verification is usually done through a special piece of information token generated and sent to the user during the logon event and is what makes MFA one of the strongest technical controls that can be applied to account security.

Steven Jakubin
Data Security Analyst

An MFA implementation alone cannot guarantee account security, however in today’s threat environment, it’s close. MFA attacks are so low that Microsoft was unable to report statistics on these the past several years. Both Microsoft and Google even boldly claim ‘MFA can prevent 99.9% of automated attacks’ in 2019, and while several attack demonstrations have been proven to defeat MFA, these attacks are highly specialized often requiring the interception of MFA tokens sent between devices. Many modern MFA solutions combat this with end-to-end verification methods, special device trusts, and more to ensure the token is secure and reputable. In fact, MFA improves the trusts between systems and users and if isn’t already implemented is a great step towards ‘zero-trust’ architecture goals.

So, as we constantly strive to improve organizational security, consider 2022 as the year to start or improve MFA throughout your organization. See the following considerations when implementing MFA.

MFA Deployment Considerations

What accounts should have MFA enabled?

Identifying and prioritizing MFA on accounts with escalated privileges first, such as a domain administrator and/or VPN users, is highly recommended simply due to the level of access these kinds of accounts have. A tiered MFA deployment or deploying on certain groups over time such as single department, can allow your team to discover issues early and reduce the strain on internal IT support services when issues arise. Ensure users are notified well in advanced for an MFA upcoming MFA deployment.

Additional hardware required?

Implementing MFA with biometric verification or smart cards can require additional hardware not native in your current environment, which can increase initial deployment costs, however, limit the need for network-based authentication. This includes with push-based or hardware token authentication as MFA users will be required to own and maintain smartphones or special fob devices. Anything used for MFA authentication can get damaged, lost, or stolen which can restrict account access later. Many solutions support authentication bypass methods for these types of situations, so having operational procedures for special contingencies such as a lost device can reduce downtime.

Which MFA solution should our organization go with?

It depends! At the time of this article, Duo and Microsoft MFA solutions are a couple of the most popular. Duo can be configured to offer a good user-experience with simple push authorizations directly to the user’s phone, however, can be tricky to configure in non-cloud environment. Other solutions such as Authlite and Okta have also been proven as cost-effective MFA solutions for a variety of special use-cases. We recommend taking an inventory of what user accounts, systems, and the applications within the environment, and seeing if a solution can meet security goals within your organization. In certain situations, the use of multiple MFA solutions, i.e. Authlite & Yubikey on privileged administrator accounts and Microsoft MFA on all standard accounts, can be the best solution to a full MFA deployment.


Original article by Steven Jakubin. Data Security Analyst, infotex


same_strip_012513


 

Latest News
    Community Banking and their layers of security. . . Michael Hartke’s first post as Executive Vice President! Thinking back to my first talk to security professionals in community banking almost 10 years ago, the question continues to this day. First some background… infotex was moderating the Indiana Bankers Association Security Conference when one of the […]
    Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to offerings.infotex.com! We even made a movie with all the reasons why infotex should be your next MSOC!  
    infotex and GoTo To all infotex managed security service Clients: As recently reported by major news outlets there was a data breach affecting GoTo (formerly LogMeIn) wherein attackers stole encrypted backups containing customer information in November 2022.  Based on the advisory from GoTo the products they offer that are affected include LogMeIn Pro, LogMeIn Central, […]
    An option for increasing security for ALL organizations. . . The threat landscape is evolving daily, and it is becoming increasingly difficult for even large organizations providing cyber defense services to keep up. As Brandao (2021) notes, it is important for organizations to adapt holistic technologies that can correlate all attack events. Therefore, developing XDR […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A relic of the internet’s less secure past, many small firms struggle to secure their email systems… An article review. With a great deal of cybersecurity related news focused on new threats and similarly new techniques aimed at combating them, it can be easy to forget some of the older threats that have never gone […]
    Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of […]
    System Security and Cybersecurity are not the same thing. . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Regarding “information security,” the last thirty years have seen an evolution of frameworks, laws, and assessment approaches which intimidate the management team with their complexity.  […]
    The cryptographic algorithm is vulnerable to attack and is no longer considered secure… An article review. NIST has announced that it plans to retire the SHA-1 cryptographic algorithm by the end of 2030, citing multiple vulnerabilities in the standard, effectively ending its use after nearly 30 years.  Introduced in 1995, SHA-1 used a 160-bit hash […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]