Not just because it is becoming an issue of compliance. . .
We all know the plot of your typical heist movie – a group of robbers seeks out special bits of information, such as PIN numbers, keycards, FOBs, and even biometrics, all to relentlessly gain entry to a secured vault. These vaults use several pieces of privileged information to verify identity and is a form of multi-factor authentication (MFA) that, much like in the movies, can be implemented to business systems to improve authentication security.
Typical authentication verifies access to a system and its resources by requesting a predefined username and password. However, password verification alone is a single point-of-failure that can allow an attacker to gain unauthorized access to the user’s account and any associated system(s) if compromised. Google reported in a 2019 consumer study that approximately 52% of users reuse passwords amongst various accounts. This means reused passwords can easily become an attack vector into organizations if a password were to be reused. In fact, Verizon reports in their 2019 annual Date Breach Investigation Report that ‘stolen credentials’ are what lead to ~60% of all data breaches that occurred that year – a trend seen in their previous yearly reports.
While the risk of password reuse can be lowered with solid password policy, a proper MFA implementation can downright prevent unauthorized account access if the password was compromised to begin with. This is done by requiring users to provide additional verification during logon, usually right after the entering the account name and password. Verification is usually done through a special piece of information token generated and sent to the user during the logon event and is what makes MFA one of the strongest technical controls that can be applied to account security.
An MFA implementation alone cannot guarantee account security, however in today’s threat environment, it’s close. MFA attacks are so low that Microsoft was unable to report statistics on these the past several years. Both Microsoft and Google even boldly claim ‘MFA can prevent 99.9% of automated attacks’ in 2019, and while several attack demonstrations have been proven to defeat MFA, these attacks are highly specialized often requiring the interception of MFA tokens sent between devices. Many modern MFA solutions combat this with end-to-end verification methods, special device trusts, and more to ensure the token is secure and reputable. In fact, MFA improves the trusts between systems and users and if isn’t already implemented is a great step towards ‘zero-trust’ architecture goals.
So, as we constantly strive to improve organizational security, consider 2022 as the year to start or improve MFA throughout your organization. See the following considerations when implementing MFA.
MFA Deployment Considerations
What accounts should have MFA enabled?
Identifying and prioritizing MFA on accounts with escalated privileges first, such as a domain administrator and/or VPN users, is highly recommended simply due to the level of access these kinds of accounts have. A tiered MFA deployment or deploying on certain groups over time such as single department, can allow your team to discover issues early and reduce the strain on internal IT support services when issues arise. Ensure users are notified well in advanced for an MFA upcoming MFA deployment.
Additional hardware required?
Implementing MFA with biometric verification or smart cards can require additional hardware not native in your current environment, which can increase initial deployment costs, however, limit the need for network-based authentication. This includes with push-based or hardware token authentication as MFA users will be required to own and maintain smartphones or special fob devices. Anything used for MFA authentication can get damaged, lost, or stolen which can restrict account access later. Many solutions support authentication bypass methods for these types of situations, so having operational procedures for special contingencies such as a lost device can reduce downtime.
Which MFA solution should our organization go with?
It depends! At the time of this article, Duo and Microsoft MFA solutions are a couple of the most popular. Duo can be configured to offer a good user-experience with simple push authorizations directly to the user’s phone, however, can be tricky to configure in non-cloud environment. Other solutions such as Authlite and Okta have also been proven as cost-effective MFA solutions for a variety of special use-cases. We recommend taking an inventory of what user accounts, systems, and the applications within the environment, and seeing if a solution can meet security goals within your organization. In certain situations, the use of multiple MFA solutions, i.e. Authlite & Yubikey on privileged administrator accounts and Microsoft MFA on all standard accounts, can be the best solution to a full MFA deployment.
Original article by Steven Jakubin. Data Security Analyst, infotex