The Pros And Cons Of Enterprise Multi-Factor Authentication
New Factors Effective Until Breaches Occur; Teaching Healthy Suspicion Prevails
Authentication is the means of verifying an individual is who they claim to be. It’s so important that user authentication is a cornerstone of modern cyber security. The traditional method for user authentication credentials has been usernames and passwords. As the use of passwords grew due to the popularity of websites and internet services, cyber attackers leveraged weak and redundant use of passwords across multiple sites to gain unauthorized access to systems and data.
With large databases of exposed credentials available to attackers, the search for new methods to identify users has led enterprises to require 2 or more forms of authentication, often called Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).
Going beyond the password, factors have increased to include the use of a PIN, a one-time password (OTP), facial recognition, and even biometrics. No single one of these methods is sufficient, in that it could be hijacked, breached or compromised similar the password situation. The confluence of multiple factors increases the challenge for attackers.
The Evolving MFA Landscape
MFA is by no means perfect. Breached password databases are not only more extensive as time goes by, but increasingly the attackers are gaining access to newer authentication factor stores, such as the case with the public database discovered containing facial images and associated fingerprints.
Similarly, the type of authentication factor possible in an enterprise setting is evolving. Physical tokens and secure cards are utilizing digital infrastructure to permit location and known assets as additional factors. When combined with a known user, a profile of access rights and permissions can be granted that aligns with the perceived risk of data leakage.
The prevalence of a smartphone for employee use and the desire to have access to information any time and from any place has also made mobile devices a valuable attack surface. This has been observed in reports of SIM swapping (both physically and through social engineering attacks) on a known device.
The lesson is to offer multiple factors for employees that reduces friction from unrealistic password regiments and reduces the likelihood that an attacker will possess sufficient credentials to create a concern.
Establishing Comprehensive Enterprise Data Protection
Research conducted into the trustworthiness of systems in various technical areas— including cyber security, cloud computing, big data, and cyber-physical systems— has focused on the fundamental security objectives of confidentiality, integrity, and availability (CIA).
- Confidentiality ensures that only authorized individuals can view protected data
- Integrity prevents data from being altered in any way by unauthorized individuals, ensuring information legitimacy
- Availability ensures that authorized users have uninterrupted access to sensitive information
“Effective cyber security demands that all three of these factors work together in unison to ensure comprehensive data protection,” said Tanner Johnson, Senior Analyst for market research and advisory firm IHS Markit.
Mitigating Risks Associated With MFA Attacks
The uptake of MFA has, not surprisingly, resulted in more cyberattacks targeting its underlying technologies. In a Private Industry Notification (PIN) issued in September, the Federal Bureau of Investigation (FBI) alerted private industry that cyber criminals are using social engineering and technical attacks to circumvent MFA.
The notification describes the methods observed and ways for organizations to mitigate the risk. The FBI continues to promote the use of MFA as a strong and effective security measure given these precautions are observed. Earlier in the year, Google described the risk reduction when its Gmail users specify a recovery phone number, which also enables SMS as an additional authentication factor. And Microsoft has noted that methods to bypass MFA implementations are so uncommon that the company is not even keeping statistics on the attacks.
Healthy Suspicion Remains Best Course Of Defense
Locking down systems and access to data can achieve the goal of strong authentication security, but it has the side-effect of alienating users that need to accomplish their job. Workforce performance needs to be effectively balanced with strong authentication.
Generating a healthy level of suspicion by employees when it comes to clicking on email links or giving up user credentials creates a partnership with the security team rather than building fences and an adversarial relationship. Provide employees with the knowledge and tools to be successful, such as password managers to generate strong, unique credentials in their personal and work activities.
MFA addresses the challenges associated with compromised user passwords, but it is not the end-all solution. Consider several factors for employees to select from that adapt to their lifestyle with an understanding that a minimal level of authorization is necessary to gain access to sensitive data. And rethink giving access to systems and services (including email and social media) if it’s not absolutely necessary to completing their job.
See Related: Protect The Enterprise From MFA Attacks