This article was written by Brandon Agostinelli.
The Cybersecurity and Infrastructure Security Agency (CISA) defines Multi-factor authentication (MFA) as: “a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database.”[1] When implemented effectively and with best practices in mind, MFA provides an indisputable net positive impact on the information security risk posture of any organization, regardless of industry. It is more likely than not that in order for an organization to obtain cyber liability insurance, implementation of MFA will be a prerequisite for carriers. The standard method of user authentication with a username and password is aging exponentially from a security perspective. The absence of the additional layer of security provided by MFA leaves an increasingly high likelihood that accounts and systems could potentially be breached. The basic premise with MFA is that if a user’s password is compromised (via phishing, shoulder surfing, hacking, social engineering, etc.), the second layer of authentication will prevent the unauthorized access to organizational systems and resources. That second layer of authentication is different than your password. Your password is something that you know; the second authentication factor must be something you own (such as a passcode or link sent to your phone) or something you are (such as a fingerprint or facial scan). MFA became part of the cybersecurity mainstream in late 2020, and President Biden made that official on May 12, 2021, when he passed an Executive Order requiring the implementation of MFA for all Federal agencies, including for contractors.[2]
MFA is a great added security measure for every information technology environment; however, as with every solution, MFA is not perfect and must be implemented with several potential risks and pitfalls in mind.
Implementation Risk:
Not implementing an MFA solution with enough attention to detail can result in a control that may not only operate ineffectively, but also will not add any additional security value to the operating environment. One of the most widely used and industry-recognized MFA solutions in the marketplace currently is that of Microsoft 365. When implementing new tools, whether it’s new hardware (i.e., firewall, router, server, etc.) or a software solution such as MFA provided by Microsoft 365, doing something as simple as removing manufacturer default configurations is one of the most vital steps in the implementation process. Not doing this will negate many other security-related efforts thereafter. Linked here is a relevant example of how easily MFA can be bypassed if the default settings for Microsoft 365 MFA are relied upon. In short, the default settings provided by Microsoft allow the system to determine if a second factor of authentication is required (the Microsoft 365 MFA system by default does not always require a second factor). The threat actors simply compromised the target’s account, obtained the password, and then took advantage of that default Microsoft 365 setting to gain unauthorized access.
Acceptance Amongst User Base:
Although the act of using MFA to authenticate users prior to accessing systems and applications is not a difficult nor time consuming task, it is something new and different, and may be perceived as inconvenient when compared to standard methods that users are comfortable with. This reality results in low utilization when organizations implement MFA as optional instead of mandatory.
Short Message Service (SMS) Authentication:
As MFA was adopted more widely, it became a common practice to provide the second factor of authentication to users via SMS or text messaging. Very quickly, it became apparent that SMS/text messaging as a second form of authentication can be extremely unsecure and susceptible to compromise, resulting in data breaches. This form of authentication is specifically vulnerable to subscriber identity module-swapping (SIM-swapping). This is a commonly utilized phishing technique in which the hacker compromises the user’s phone number by assigning it to a new SIM card in a device controlled by the hacker. After intercepting the MFA authentication code sent to that number, the hacker can then go about their business (taking control of accounts, resetting passwords, accessing systems, etc.). To ensure more secure MFA implementation, our recommendation is to utilize something that “you are” (such as facial recognition, fingerprint, etc.) instead of something that “you own” as the second factor of authentication.
General Use of Passwords:
SMS/text messaging is not the only potentially unsecure method of authentication. The use of passwords often turns out to be the breaking point of an organization’s security posture, resulting in data breaches. This is due to the simple fact that human error is a cybersecurity risk that will never be reduced to zero. Human error is prevalent in the use of passwords for many reasons; a few notable reasons include:
- Reusing passwords for multiple systems and applications.
- Creating simple, non-complex passwords due to convenience of remembering and typing them.
- Writing down passwords or storing them insecurely (such as on a piece of paper, or within an Excel sheet saved on a device or share drive).
A rather simple way to avoid these risks would be to remove the use of passwords, right? Well as you can imagine, a change of this magnitude would likely encounter a lot of resistance amongst stakeholders (especially at a larger organization). When attempting to convince key stakeholders of the benefits of such a change, it is important to do plenty of research to understand what objections will be faced, and how password-less authentication would be adopted by all employee roles throughout the organization. In the event that removing all use of passwords is not an approved or decided upon option, implementing MFA and requiring the second factor of authentication to be something that “you are” (such as facial recognition, fingerprint, etc.) is a great way to reduce the unavoidable risks resulting from standard password usage.
Phased Implementation:
In a perfect scenario, MFA implementation would be applied to every user for every application within your environment; however, adopting this control globally all at once is not a best practice. Starting by implementing and requiring an MFA solution across the board opens the door for widespread issues including break/fix issues that may leave systems inaccessible for extended periods of time. Our suggestion is to implement MFA through a phased approach, starting with a test application (or non-critical application) that is accessed by a small subset of users. Following the test stage when enough comfort is gained, an organization can begin to create a rollout plan for all systems and applications. Whether the preference is to then start with less critical systems, or high priority applications that may be higher risk to the organization, implementing MFA at a steady pace allows for IT and security staff to monitor each step and easily handle difficulties, security flaws, or any other barriers that may arise.
[1] See this publication from January 2022 for additional information including an introduction to MFA, how it works, and why it is important: https://www.cisa.gov/resources-tools/resources/multi-factor-authentication-mfa
[2] Executive Order on Improving the Nation’s Cybersecurity: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/