Multi-Factor Authentication is very important for organisations. The truth is that without it, organisations are wide open to attacks if their employees fall for phishing scams or share passwords, which happens more than you think.
Compromised credentials can be really dangerous for a company and for good reasons. Detecting an attack becomes very difficult when the hacker has stolen, but legitimate and valid credentials. From that moment, all of your security tools and solutions aren’t going to detect anything unusual for the simple reason that they believe that the person logging on to the system is who they say they are.
Users are human, they are flawed, and they are careless and often exploited. They will always act outside the boundaries of policy and sometimes common sense. Security solutions must be there to protect employees from careless behaviour but also protect the business from outsiders trying to gain access to the network by pretending to be employees.
Despite knowing all of that, many organisations still won’t take password security seriously.
A research from a few years ago showed not even 40 per cent of organisations were using MFA. Even more worrying, some recent surveys reveal that things haven’t really changed since then.
Organisations have the wrong idea about MFA
- “My company is too small, we don’t need MFA”
That’s what many SMBs think but they’re wrong. MFA can be and should be used by all businesses, regardless of size. The data they’re trying to protect is just as important as any large enterprise’s data.
According to a press release, MFA has remained unattainable to most SMBs because of high costs, complex setup, and management issues. However, MFA is one of the easiest, most basic ways to keep accounts protected. It doesn’t have to be complex nor expensive.
- “My users don’t have access to valuable data, we don’t need MFA”
Most organisations don’t consider the majority of their employees as ‘privileged’ users because they don’t have access to critical data. So they find that using MFA might be too much. Well, they’re wrong again. MFA should be used to protect all users whether ‘privileged’ or not. Actually, all users have access to valuable data that, if used inappropriately, might harm the company. For those who don’t believe me, let’s take an example. Imagine a nurse decides to sell information on a celebrity patient to some journalist. It shows you the value of the data and the damage that can be done when this data is used inappropriately.
Plus, most hackers prefer starting with an easy target and then moving laterally within the network until they find valuable data.
- “MFA can be bypassed”
Yes, that’s true but just like any other solution! You need to understand that no security solution is perfect, but MFA is close. Recently, the FBI published a warning concerning attacks in which MFA had been bypassed. The two main authenticator vulnerabilities are ‘Channel Jacking’, which involves taking over the communication channel used for the authenticator and ‘Real-Time Phishing’, which involves using a machine-in-the-middle in order to intercept and replay authentication messages. According to experts, those attacks require high costs and efforts. In the majority of cases, when an attacker comes across MFA, he moves to an easier target. Also, you might avoid some vulnerabilities by choosing MFA authenticators that don’t rely on SMS (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines).
Despite the recent attacks and its warning, the FBI maintains that MFA is very effective and is one of the simplest steps to make an organisation’s security better.
- “If we start using MFA, our employee’s productivity will be disrupted”
No, or at least it doesn't have to be. Employee’s productivity is very important and if you implement a disruptive solution, there is a good chance the adoption will be slowed down if not stopped.
Flexibility is needed here. You need to choose an MFA solution that can adapt to your organisation’s needs. Users don’t need to be prompted for MFA all the time.
The context of the user’s authentication attempt can be used to authorise, deny or limit user access. It gives evidence that they are the authorised person with the given right of access. Actually, some experts see this as an additional (third) factor of authentication.
With contextual restrictions in place, administrators can then be confident of customising MFA controls that avoid prompting the user each time they log in. Contextual factors can include location, machine, time, session type and number of simultaneous sessions. Transparent to the end user, they create a significant barrier to an attacker but don’t impede on their productivity.
Compromised credentials happen to everyone. That’s why MFA must be used by all businesses, regardless of size.
François Amigorena, founder and CEO, IS Decisions