Multi-factor authentication or MFA is increasingly becoming the standard for businesses in terms of cybersecurity, especially as they begin implementing Zero Trust security strategies. Zero Trust protects cloud-based environments, including in hybrid and remote situations.
The specifics of the implementation of MFA often depend on your users, devices, and environments. The goal with MFA is always to maximize your level of security and access control without putting a damper on productivity.
Accessibility is part of ensuring productivity.
While not an exhaustive list, some of the factors that can be used in multi-factor authentication include:
- Biometrics: This option tends to be simple to use for employees, but it also brings high security to the table. Biometrics uses factors inherent to the person seeking access to a device or application. These personal factors make it hard for a cybercriminal to steal them or fake them. For example, fingerprints and facial recognition are examples of biometrics in MFA.
- Time-based one-time passwords: TOTPs authenticate the identity of a user by sending unique, temporary, and randomized codes to accounts that are separate or a device of the user. Then, the user puts in the code on the device or application they’re requesting access. They’re not as user-friendly as biometrics because they require more work for users, but not much more.
- Hand security tokes: Tokens require equipment such as a dongle for MFA. You may still have to input codes, but in some cases, that’s not the case.
To improve the accessibility of MFA, it may be layered with other modifications and tools.
Conditional access is an example. Conditional access simplifies the user experience but maintains security.
With conditional access, a system administrator can bypass or require multi-factor authentication depending on the scenario. They can also deny access altogether. For example, MFA might be needed if a user signs on from a network that’s not recognized.
Another layered approach to utilize with MFA is single sign-on or SSO. SSO uses a single set of credentials, which in an optimal scenario are verified through MFA.
With all that in mind, which types of attacks does MFA work particularly well to protect against?
Multi-Factor Authentication and Ransomware
Ransomware attacks are one of the highest-priority cyber threats for organizations in all industries and of all sizes. IT teams are taking proactive steps to reduce the risk to applications and data, especially in dispersed hybrid and remote work environments.
These application and data targets are of high value for attackers.
Multi-factor authentication is a pivotal layer of protection, especially in your backup environment.
Without MFA, a cyber attacker would only need compromised credentials to gain access. This is known as single-factor authentication. If you have single-factor authentication and an attacker gains access, then there’s a higher likelihood you will have to pay ransom because you’re less likely to be able to recover your applications or data.
In general, compromised credentials are the most common way to infiltrate an organization. You have to consider the apps, devices, and services people constantly use in the modern world, personally and professionally. That means more password reuse.
According to statistics, an estimated 61% of people reuse passwords in work and personal accounts. One data breach could become massively damaging as a result.
With phishing attacks, which aren’t new but remain a popular approach, a message or email appears to have come from a trusted source. Then, there’s typically a call-to-action so the victim will end up giving information about their employer or themselves. That might mean sharing of credentials.
The credentials then allow for system access.
When remote workers are faced with the growing interrelatedness of their personal and professional online identities, then it gets even easier to let their guard down and potentially expose their employer to a phishing attack.
Phishing attacks were the most common type of cybercrime in 2020, according to the FBI. The prevalence nearly doubled from the previous year, and much of this was likely due to workers going remote during the pandemic.
Multi-factor authentication helps prevent phishing. First, attackers can’t log into a system successfully even with one set of stolen credentials if they don’t have the second factor. The other reason is that phishing attacks are often automated and go for easier targets. MFA makes them too complex and time-consuming to deal with for a lot of attackers.
During a spear-phishing attack, the focus is on a small group of users. Those users are often seen as high-value targets. Spear phishing attacks can evade spam filters that would block more generalized phishing.
There’s also social engineering in spear phishing, meaning basically these are a sophisticated type of phishing that’s used to obtain high-value information.
A spear-phishing message might include references to personal information, for example.
MFA can prevent spear phishing at the point the attacker is using the stolen credentials.
A man-in-the-middle attack is specifically targeted and is a way to intercept a network connection to steal data as it’s in transit.
If data is encrypted, even then, a cyber attacker can decrypt it through the use of a malicious certificate. From there, the second stage of the attack using stolen credentials can be launched.
With MFA, the attacker can’t use the stolen credentials again and may not be able to change the password without the second factor.
Finally, another common type of attack often thwarted by MFA is brute force. With a brute force attack, stolen passwords are used to try all the combinations possible to get into an account.
Brute force attacks take advantage of the likelihood of people using the same passwords on different services or using easy to guess passwords.
MFA is excellent at stopping these types of attacks since they are so reliant on passwords.
No tool is completely going to stop an attack, but MFA is one of the most important elements of an overall cybersecurity strategy you can have.