About Us | Contact Us
View Cart

The Importance of Proper Multi-Factor Authentication (MFA) in 2022

By Steven Jakubin | Monday, February 28, 2022 - Leave a Comment

Not just because it is becoming an issue of compliance. . .


We all know the plot of your typical heist movie – a group of robbers seeks out special bits of information, such as PIN numbers, keycards, FOBs, and even biometrics, all to relentlessly gain entry to a secured vault. These vaults use several pieces of privileged information to verify identity and is a form of multi-factor authentication (MFA) that, much like in the movies, can be implemented to business systems to improve authentication security.

Typical authentication verifies access to a system and its resources by requesting a predefined username and password.  However, password verification alone is a single point-of-failure that can allow an attacker to gain unauthorized access to the user’s account and any associated system(s) if compromised. Google reported in a 2019 consumer study that approximately 52% of users reuse passwords amongst various accounts. This means reused passwords can easily become an attack vector into organizations if a password were to be reused. In fact, Verizon reports in their 2019 annual Date Breach Investigation Report that ‘stolen credentials’ are what lead to ~60% of all data breaches that occurred that year – a trend seen in their previous yearly reports.

While the risk of password reuse can be lowered with solid password policy, a proper MFA implementation can downright prevent unauthorized account access if the password was compromised to begin with. This is done by requiring users to provide additional verification during logon, usually right after the entering the account name and password. Verification is usually done through a special piece of information token generated and sent to the user during the logon event and is what makes MFA one of the strongest technical controls that can be applied to account security.

Steven Jakubin
Data Security Analyst

An MFA implementation alone cannot guarantee account security, however in today’s threat environment, it’s close. MFA attacks are so low that Microsoft was unable to report statistics on these the past several years. Both Microsoft and Google even boldly claim ‘MFA can prevent 99.9% of automated attacks’ in 2019, and while several attack demonstrations have been proven to defeat MFA, these attacks are highly specialized often requiring the interception of MFA tokens sent between devices. Many modern MFA solutions combat this with end-to-end verification methods, special device trusts, and more to ensure the token is secure and reputable. In fact, MFA improves the trusts between systems and users and if isn’t already implemented is a great step towards ‘zero-trust’ architecture goals.

So, as we constantly strive to improve organizational security, consider 2022 as the year to start or improve MFA throughout your organization. See the following considerations when implementing MFA.

MFA Deployment Considerations

What accounts should have MFA enabled?

Identifying and prioritizing MFA on accounts with escalated privileges first, such as a domain administrator and/or VPN users, is highly recommended simply due to the level of access these kinds of accounts have. A tiered MFA deployment or deploying on certain groups over time such as single department, can allow your team to discover issues early and reduce the strain on internal IT support services when issues arise. Ensure users are notified well in advanced for an MFA upcoming MFA deployment.

Additional hardware required?

Implementing MFA with biometric verification or smart cards can require additional hardware not native in your current environment, which can increase initial deployment costs, however, limit the need for network-based authentication. This includes with push-based or hardware token authentication as MFA users will be required to own and maintain smartphones or special fob devices. Anything used for MFA authentication can get damaged, lost, or stolen which can restrict account access later. Many solutions support authentication bypass methods for these types of situations, so having operational procedures for special contingencies such as a lost device can reduce downtime.

Which MFA solution should our organization go with?

It depends! At the time of this article, Duo and Microsoft MFA solutions are a couple of the most popular. Duo can be configured to offer a good user-experience with simple push authorizations directly to the user’s phone, however, can be tricky to configure in non-cloud environment. Other solutions such as Authlite and Okta have also been proven as cost-effective MFA solutions for a variety of special use-cases. We recommend taking an inventory of what user accounts, systems, and the applications within the environment, and seeing if a solution can meet security goals within your organization. In certain situations, the use of multiple MFA solutions, i.e. Authlite & Yubikey on privileged administrator accounts and Microsoft MFA on all standard accounts, can be the best solution to a full MFA deployment.


Original article by Steven Jakubin. Data Security Analyst, infotex


same_strip_012513


 

Latest News
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]