Many organizations are feeling an elevated cybersecurity threat level as of late. For years, the news has been rife with stories of embarrassing and costly corporate hacks, ransomware threats, and conniving scammers. Additionally, during the COVID-19 pandemic there has been an uptick in attacks. Many users are relying on remote-work technology full-time, for the first time — cyber criminals realize this and work to capitalize on user confusion or gaps in identity verification. As such, all members of an organization must realize their roles in protecting both data and themselves from cyber-threats.
One of the easiest ways an organization can greatly improve security is by using more robust authentication methodologies. Yet the past decade has shown conclusively that password security alone doesn’t adequately protect against motivated attackers. This is where multifactor authentication (MFA) can make a big difference with logon security. In the most common MFA implementation, a user must enter an additional code generated by an authenticator app on their phone (though this code can also be generated by a dedicated hardware token) in order to access a password-protected service.
The most recent figures from LastPass’ Global Password Security Report suggest that while 57% of enterprises worldwide are using MFA, only 27% of smaller companies use it. This isn’t bad, but there’s lots of room for improvement.
One of the biggest obstacles to MFA deployment can be user resistance. This is why it’s important to streamline your organization’s MFA deployment to make sure it meets two primary goals: being accessible to the user-base, and securing the organization against threat vectors. As such, this post is intended for IT pros, organizational administrators, and even savvy users — because each of you are stakeholders in your organization’s information security.
Here’s some common examples of security shortfalls that MFA can help protect against.
Weak & Reused Passwords
Users trying to make a memorable, easy-to-type password may not necessarily create a password that is hardened against attacks. Users might also reuse passwords from other sites in order to remember them more easily. This means that a password breach on a third-party website can lead to a hacker knowing credentials to access your own organization.
Another common tactic of cyber-criminals is to trick users into putting their credentials into phony login forms. Without MFA, the only way for users to protect their login credentials against phishing is through constant mindfulness. This can result in vigilance fatigue on the part of users, and an increase in support tickets when help desk staff are asked to weigh in on the veracity of links, attachments, and emails.
Weak Access Controls
Because users occasionally share passwords (sometimes for reasons of practicality) it can be difficult to be certain who is accessing what. This is especially troubling when a terminated employee can still access restricted material.
Best Practices and Potential Shortfalls
Implementing MFA can be relatively straightforward, but it’s important to treat it as laying the groundwork for better security. Shortcuts that seem desirable to end-users can undercut that security. Likewise, it’s important to recognize that MFA — while being an excellent additional layer of security — is not bulletproof. Organizations must assess their own threat vectors to come up with a solution that delivers the right security posture.
Codes vs Notifications
Microsoft’s MFA app allows for a convenient notification-based authentication — where a user is presented with a Deny/Approve dialog on their mobile device to authenticate sign-ins. However, this convenience can be problematic because of the phenomenon of Warning Fatigue: where users who are constantly presented with warning dialogs start clicking through them out of habit without considering the implications of doing so first.
As an alternative to notifications, organizations should consider MFA which generates six-digit code that resets every 30 seconds. Though this may seem less user-friendly, it puts more responsibility for action and thoughtfulness onto the user.
SMS Verification Weaknesses
Many organizations may feel that SMS-based notifications are sufficient for their given threat vector. Because they don’t require the installing of an additional app on one’s phone, SMS-based notifications may also help to combat any resistance. However, it’s worth considering the security shortfalls of SMS-based MFA. Savvy hackers can either spy on SMS text messages or hijack a user’s phone number entirely. SIM-swap attacks, as they’re known, have become increasingly common online, and usually involve exploits targeted against a specific user.
Mobile Endpoint Security
A mobile phone, just like a computer, is an endpoint which is vulnerable to attack. Malware which monitors a phone’s screen or clipboard can allow a hacker access to a user’s authenticator. More sophisticated exploits are also known to exist. This is why app-based MFA should coexist with good mobile device management practices.
Like any physical device, phones and hardware tokens can be stolen. While organizations may evaluate targeted theft against personnel as being outside their threat vector, basic security protocols include ensuring that users understand the importance of reporting a lost or stolen device to their IT department as soon as possible.
In many cases, passwords alone are no longer sufficient to protect your organization’s data. That’s why a successful MFA deployment can greatly increase the security of your organization. The critical first step is to plan carefully and consider both threat vectors and user participation in order to make the end solution work.
Softlanding provides professional and managed IT services across business sectors. If you want to enjoy the benefits of multi-factor authentication in your organization, we can deploy and implement leading Microsoft Solutions built into Azure and Office 365. Contact us now to learn more.