Using only a strong user name and password doesn’t cut it anymore. Companies without MFA are wide open to attacks despite the other security solutions they may have in place. If your employees fall for phishing scams or start sharing passwords, an attacker can get access to your network in no time. But what’s stopping some organizations from adopting multi factor authentication (MFA)?
Compromised credentials represent one of the biggest threat to organizations today. If you think about it, it’s simple to understand. An attacker compromises a set of corporate credentials and then uses it to enter into your network. Why would any of your security solutions flag something unusual? They are using valid credentials! This is what makes these attacks so hard to detect.
What’s hard to understand is that whilst this threat is very well known, it seems many don’t take it very seriously. Our survey of IT decision makers from a few years ago showed that only 38% use MFA to better protect credentials. What’s even worse is that unfortunately for some, things have not changed since then.
Mistaken beliefs about the adoption of MFA
We believe 4 myths are still prevalent that might be guiding some organizations to avoid MFA.
1. MFA should be used only in large enterprises
Small and medium sized business have data they need to protect as much as large enterprises. Having MFA in place should be a key security measure for any company, whatever the size. MFA doesn’t have to come at a high cost or be complex.
2. MFA should be used to protect only privileged users
The first reason you should protect all of your employees with MFA – not only privileged users – is that even the users you consider as “non-privileged” can still have access to data that could hurt your company. For example, a nurse would be considered as non-privileged, but what if she decides to sell a celebrity patient’s data to a newspaper? If inappropriately used, any data can harm a company.
The second reason is that most hackers don’t start with a highly privileged account. They usually start with a low level account and then move laterally until they find anything valuable.
3. MFA is not perfect
Well, there is no “perfect” in security but MFA comes pretty close. Not too long ago, the FBI issued a warning regarding some attacks where MFA had been bypassed. The two main authenticator vulnerabilities were ‘Channel Jacking’, involving the takeover of the communication channel used for the authenticator and ‘Real-Time Phishing’, using a machine-in-the-middle to intercept and replay authentication messages. However, experts have agreed that high cost and effort are needed for such attacks. Usually, if a hacker encounters MFA, he’ll just move onto an easier target.
As a simple precaution, you can avoid MFA authenticators that rely on SMS (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines).
Also, you should know that the FBI still maintains that MFA is effective and is one of the simplest steps a company can take to strengthen security.
4. MFA impedes employees’ productivity
As with any new technology, if it impedes user productivity, employees won’t tolerate it and the solution won’t be adopted. They’ll always find a way to circumvent security controls which will put your company at risk. That’s why you need flexibility with multifactor authentication. Administrators might not want to prompt the user for MFA every time they log in. What you can do is enhance identity assurance thanks to contextual controls. They use environment information to further verify all users’ claimed identity, but they are transparent to the end user. Contextual factors can for example include location, machine, time, session type and number of simultaneous sessions.
Getting your credentials compromised can happen to anyone – whether you are a privileged or a non-privileged user. Having a MFA solution in place should be a key security measure for every company, regardless of size. It is one of the easiest and simplest steps to keep accounts protected.