Security Experts:

Why Not Always Multi-Factor Authentication?

According to a survey of 2,600 IT professionals conducted by security awareness training firm KnowBe4, only 38 percent of large companies use multi-factor authentication (MFA) while a whopping 62 percent of small to midsize companies don’t. MFA, which requires more than one method of authentication to verify identity, may not be the sexiest thing around, but with it in place, organizations can make it that much harder for attackers to accomplish their goals. So, why isn’t it more ubiquitous?

Perhaps the issue stems from the fact that some people tend to choose the path of least resistance. Or perhaps it stems from a belief that MFA isn’t the fastest, easiest, and most convenient solution to implement and use. While it’s true that there’s no turnkey MFA solution to fit every organization, it’s not necessarily true that it should be viewed as yet another difficult security control that needs to be folded into existing security stacks. 

Every organization is different — from the technology and security controls they have in place to the in-house skillsets they possess — and therefore, the time, effort, and cost required to implement MFA will vary. What’s important is to consider the various environments (e.g., on-premises, cloud, hybrid), determine which applications need MFA, and then find the best solution fit to align with existing policies, controls, and security objectives. 

More Is More

It’s also important for IT security teams to understand the slight, but potentially significant difference between MFA and two-factor (2FA) authentication. 

A subset of MFA, 2FA requires users to provide a username/password combo and to verify their identity via something they physically possess (e.g. a smartphone). Today, the majority of 2FA solutions work by sending a unique, one-time code to a user’s mobile phone, which has already been confirmed and paired to the user’s account. Popular solutions, for example, are Google Authenticator and Authy, which generate two-step verification codes on mobile phones, and Duo Mobile, which verifies a user’s identity with push-based notifications and helps protect against phishing and other identity-based attacks.  

But why stop at two factors? The convenience and relative time savings of 2FA may be better than nothing, but are they worth the risk? Especially considering that most, if not all breaches today involve an adversary compromising user credentials and using them to gain access to an organization’s network and sensitive assets. 

Among several large-scale examples of 2FA failing is the recent Reddit one. Back in June, Reddit found that an attacker had compromised several employee accounts through its cloud and source-code hosting providers. At the time, the company had been using basic SMS-based 2FA authentication, whereby users were sent a token via text message that they then entered into the application they were authenticating to. This form of 2FA is simple, cheap, and user-friendly, which is why it’s so widely used; however, the downside is that it’s also extremely vulnerable to SMS intercepts, which was the main attack vector used in the Reddit breach. 

Other Factors to Consider

A device-recognition product can help alleviate some of the inherent vulnerabilities of basic 2FA. These solutions work by registering a user ID to an authentication server. The server and client then use the user ID to generate a new token after a specific time frame. When a user attempts to log into an application, the server checks to see if the generated values match; and if they do, the user is granted access. 

While extra factors may not cater to those looking for maximum speed and convenience, it’s hard to argue against the easy to use, but harder to defeat combo, especially compared to the greater hassle and potential damage of a breach.

view counter
Erin O’Malley is an incident response delivery support manager at Accenture Security, FusionX, Cyber Investigation and Forensics Response (CIFR), where she teams with incident responders and threat hunters to document and catalog incident report findings and highlight the value of taking an adversary-based approach to minimize the risk, exposure, and damage of cybersecurity incidents. Prior to joining Accenture, Erin was a security solutions marketing manager at Gigamon. Other past roles have included product marketing for virtualization and cloud security solutions at Juniper Networks and customer marketing at VMware. She has written and edited for GE Digital, WSGR, Business Objects, and the TDA Group, and holds a B.A. in French from Penn State University and an M.A. in French from Middlebury College. The opinions and statements in this column are solely those of the individual author, and do not constitute professional or legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. No representations or warranties are provided, and the reader is responsible for determining whether or not to follow any of the suggestions or recommendations, entirely at their own discretion.