A Frank Discussion of Multifactor Authentication
Someone steals credentials from one of your client’s executives. They guess the username and password to their email account. From there, the cybercriminal can send out targeted phishing emails to compromise even more accounts or trick employees into handing over sensitive data.
To combat instances like these, many businesses and applications now require multifactor authentication (MFA). Over the years, MFA has become far more commonplace. In theory, it makes sense—cybercriminals could brute-force guess a password and have free rein over someone’s account. But if the user set up MFA via SMS text messages on their account, then the cybercriminal would need to gain access to their phone as well.
But how secure does multifactor authentication make users? Well, like anything else in security, it depends. Let’s start by explaining the term.
What is multifactor authentication?
To begin with, it may help to understand what multifactor authentication (MFA) is. It’s any authentication scheme that requires you to have two or more “factors” to prove your identity. In layman’s terms, you need to prove in two different ways that you are who you say you are—such as your username/password combination, the answer to a security question, a code sent via email or SMS text message, or even physical attributes like a fingerprint or ocular scan.
Of course, there are drawbacks. For example, if you set up MFA for your customers’ email accounts and require them to use an SMS code to log in each time, users must physically have their phone on them whenever they want to check or send their email. If they lose it (or it’s stolen), they may have a hard time getting back into their email, and you’ll have to restore their account with a new number.
One way to make this more convenient involves taking a risk-based approach to MFA. Depending on how risky the user is—or the location they sign in from—you may want to “increase the pain.” For example, you may decide to require text-based authentication for people on a home network while allowing them to simply log in when they’re in the office. This makes it more convenient for users when there’s less risk. Additionally, if you have a high-profile user like an executive or a system admin, you may want to add multiple factors, like requiring text messages and security questions, on top of the initial username/password combination.
However, it’s important to realize that, like anything else in security, multifactor authentication isn’t a silver bullet. It can absolutely make it harder for the bad guys. However, determined cybercriminals can bypass MFA. For example, criminals can spoof SIM cards to intercept your text messages or they can use phishing emails to get your one-time security code.
In short, you can’t rely on multifactor authentication alone. Like anything else, MFA should sit within a larger strategy that includes both security controls and policies. For example, consider including the following:
- Offer user security training to teach users the importance of password strength and show them how to avoid phishing attempts. Additionally, make sure to emphasize that users shouldn’t re-use passwords. You don’t want someone using their Netflix account password to get into their company email if Netflix has a breach. Consider implementing a business-grade password management tool for your customers to help ensure password strength without causing a massive inconvenience.
- Use an access rights management tool to make sure employees don’t get excessive permissions. As your clients’ organizations grow, you want to keep on top of user permissions and ensure risky data can be accessed by only a small handful of trusted users. A good access rights management tool like SolarWinds® Access Rights Manager can help you audit permissions and help you implement the “principle of least privilege.”
- Monitor for shady activities before, during, and after any attacks. A security information and event management (SIEM) tool can help you look for threats on the network while an endpoint protection tool can look for threats on a device level. Accessing an account is just step one for cybercriminals—what they do after that requires additional protection.
The bottom line is this—multifactor authentication can be an excellent way of keeping cybercriminals out of important accounts. It does have flaws, but that doesn’t mean you should avoid using it. In fact, multifactor authentication should be standard for any user account that could present a potential risk to your customers. It’s important to realize that MFA is only one tool in your arsenal—you need a full layered security strategy to further reduce the risk of account compromise.