About Us | Contact Us
View Cart

The Importance of Proper Multi-Factor Authentication (MFA) in 2022

By Steven Jakubin | Monday, February 28, 2022 - Leave a Comment

Not just because it is becoming an issue of compliance. . .


We all know the plot of your typical heist movie – a group of robbers seeks out special bits of information, such as PIN numbers, keycards, FOBs, and even biometrics, all to relentlessly gain entry to a secured vault. These vaults use several pieces of privileged information to verify identity and is a form of multi-factor authentication (MFA) that, much like in the movies, can be implemented to business systems to improve authentication security.

Typical authentication verifies access to a system and its resources by requesting a predefined username and password.  However, password verification alone is a single point-of-failure that can allow an attacker to gain unauthorized access to the user’s account and any associated system(s) if compromised. Google reported in a 2019 consumer study that approximately 52% of users reuse passwords amongst various accounts. This means reused passwords can easily become an attack vector into organizations if a password were to be reused. In fact, Verizon reports in their 2019 annual Date Breach Investigation Report that ‘stolen credentials’ are what lead to ~60% of all data breaches that occurred that year – a trend seen in their previous yearly reports.

While the risk of password reuse can be lowered with solid password policy, a proper MFA implementation can downright prevent unauthorized account access if the password was compromised to begin with. This is done by requiring users to provide additional verification during logon, usually right after the entering the account name and password. Verification is usually done through a special piece of information token generated and sent to the user during the logon event and is what makes MFA one of the strongest technical controls that can be applied to account security.

Steven Jakubin
Data Security Analyst

An MFA implementation alone cannot guarantee account security, however in today’s threat environment, it’s close. MFA attacks are so low that Microsoft was unable to report statistics on these the past several years. Both Microsoft and Google even boldly claim ‘MFA can prevent 99.9% of automated attacks’ in 2019, and while several attack demonstrations have been proven to defeat MFA, these attacks are highly specialized often requiring the interception of MFA tokens sent between devices. Many modern MFA solutions combat this with end-to-end verification methods, special device trusts, and more to ensure the token is secure and reputable. In fact, MFA improves the trusts between systems and users and if isn’t already implemented is a great step towards ‘zero-trust’ architecture goals.

So, as we constantly strive to improve organizational security, consider 2022 as the year to start or improve MFA throughout your organization. See the following considerations when implementing MFA.

MFA Deployment Considerations

What accounts should have MFA enabled?

Identifying and prioritizing MFA on accounts with escalated privileges first, such as a domain administrator and/or VPN users, is highly recommended simply due to the level of access these kinds of accounts have. A tiered MFA deployment or deploying on certain groups over time such as single department, can allow your team to discover issues early and reduce the strain on internal IT support services when issues arise. Ensure users are notified well in advanced for an MFA upcoming MFA deployment.

Additional hardware required?

Implementing MFA with biometric verification or smart cards can require additional hardware not native in your current environment, which can increase initial deployment costs, however, limit the need for network-based authentication. This includes with push-based or hardware token authentication as MFA users will be required to own and maintain smartphones or special fob devices. Anything used for MFA authentication can get damaged, lost, or stolen which can restrict account access later. Many solutions support authentication bypass methods for these types of situations, so having operational procedures for special contingencies such as a lost device can reduce downtime.

Which MFA solution should our organization go with?

It depends! At the time of this article, Duo and Microsoft MFA solutions are a couple of the most popular. Duo can be configured to offer a good user-experience with simple push authorizations directly to the user’s phone, however, can be tricky to configure in non-cloud environment. Other solutions such as Authlite and Okta have also been proven as cost-effective MFA solutions for a variety of special use-cases. We recommend taking an inventory of what user accounts, systems, and the applications within the environment, and seeing if a solution can meet security goals within your organization. In certain situations, the use of multiple MFA solutions, i.e. Authlite & Yubikey on privileged administrator accounts and Microsoft MFA on all standard accounts, can be the best solution to a full MFA deployment.


Original article by Steven Jakubin. Data Security Analyst, infotex


same_strip_012513


 

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]