Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Why Not Always Multi-Factor Authentication?

According to a survey of 2,600 IT professionals conducted by security awareness training firm KnowBe4, only 38 percent of large companies use multi-factor authentication (MFA) while a whopping 62 percent of small to midsize companies don’t. MFA, which requires more than one method of authentication to verify identity, may not be the sexiest thing around, but with it in place, organizations can make it that much harder for attackers to accomplish their goals.

According to a survey of 2,600 IT professionals conducted by security awareness training firm KnowBe4, only 38 percent of large companies use multi-factor authentication (MFA) while a whopping 62 percent of small to midsize companies don’t. MFA, which requires more than one method of authentication to verify identity, may not be the sexiest thing around, but with it in place, organizations can make it that much harder for attackers to accomplish their goals. So, why isn’t it more ubiquitous?

Perhaps the issue stems from the fact that some people tend to choose the path of least resistance. Or perhaps it stems from a belief that MFA isn’t the fastest, easiest, and most convenient solution to implement and use. While it’s true that there’s no turnkey MFA solution to fit every organization, it’s not necessarily true that it should be viewed as yet another difficult security control that needs to be folded into existing security stacks. 

Every organization is different — from the technology and security controls they have in place to the in-house skillsets they possess — and therefore, the time, effort, and cost required to implement MFA will vary. What’s important is to consider the various environments (e.g., on-premises, cloud, hybrid), determine which applications need MFA, and then find the best solution fit to align with existing policies, controls, and security objectives. 

More Is More

It’s also important for IT security teams to understand the slight, but potentially significant difference between MFA and two-factor (2FA) authentication. 

A subset of MFA, 2FA requires users to provide a username/password combo and to verify their identity via something they physically possess (e.g. a smartphone). Today, the majority of 2FA solutions work by sending a unique, one-time code to a user’s mobile phone, which has already been confirmed and paired to the user’s account. Popular solutions, for example, are Google Authenticator and Authy, which generate two-step verification codes on mobile phones, and Duo Mobile, which verifies a user’s identity with push-based notifications and helps protect against phishing and other identity-based attacks.  

But why stop at two factors? The convenience and relative time savings of 2FA may be better than nothing, but are they worth the risk? Especially considering that most, if not all breaches today involve an adversary compromising user credentials and using them to gain access to an organization’s network and sensitive assets. 

Among several large-scale examples of 2FA failing is the recent Reddit one. Back in June, Reddit found that an attacker had compromised several employee accounts through its cloud and source-code hosting providers. At the time, the company had been using basic SMS-based 2FA authentication, whereby users were sent a token via text message that they then entered into the application they were authenticating to. This form of 2FA is simple, cheap, and user-friendly, which is why it’s so widely used; however, the downside is that it’s also extremely vulnerable to SMS intercepts, which was the main attack vector used in the Reddit breach. 

Advertisement. Scroll to continue reading.

Other Factors to Consider

A device-recognition product can help alleviate some of the inherent vulnerabilities of basic 2FA. These solutions work by registering a user ID to an authentication server. The server and client then use the user ID to generate a new token after a specific time frame. When a user attempts to log into an application, the server checks to see if the generated values match; and if they do, the user is granted access. 

While extra factors may not cater to those looking for maximum speed and convenience, it’s hard to argue against the easy to use, but harder to defeat combo, especially compared to the greater hassle and potential damage of a breach.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...