Why Not Always Multi-Factor Authentication?

According to a survey of 2,600 IT professionals conducted by security awareness training firm KnowBe4, only 38 percent of large companies use multi-factor authentication (MFA) while a whopping 62 percent of small to midsize companies don’t. MFA, which requires more than one method of authentication to verify identity, may not be the sexiest thing around, but with it in place, organizations can make it that much harder for attackers to accomplish their goals. So, why isn’t it more ubiquitous?

Perhaps the issue stems from the fact that some people tend to choose the path of least resistance. Or perhaps it stems from a belief that MFA isn’t the fastest, easiest, and most convenient solution to implement and use. While it’s true that there’s no turnkey MFA solution to fit every organization, it’s not necessarily true that it should be viewed as yet another difficult security control that needs to be folded into existing security stacks. 

Every organization is different — from the technology and security controls they have in place to the in-house skillsets they possess — and therefore, the time, effort, and cost required to implement MFA will vary. What’s important is to consider the various environments (e.g., on-premises, cloud, hybrid), determine which applications need MFA, and then find the best solution fit to align with existing policies, controls, and security objectives. 

More Is More

It’s also important for IT security teams to understand the slight, but potentially significant difference between MFA and two-factor (2FA) authentication. 

A subset of MFA, 2FA requires users to provide a username/password combo and to verify their identity via something they physically possess (e.g. a smartphone). Today, the majority of 2FA solutions work by sending a unique, one-time code to a user’s mobile phone, which has already been confirmed and paired to the user’s account. Popular solutions, for example, are Google Authenticator and Authy, which generate two-step verification codes on mobile phones, and Duo Mobile, which verifies a user’s identity with push-based notifications and helps protect against phishing and other identity-based attacks.  

But why stop at two factors? The convenience and relative time savings of 2FA may be better than nothing, but are they worth the risk? Especially considering that most, if not all breaches today involve an adversary compromising user credentials and using them to gain access to an organization’s network and sensitive assets. 

Among several large-scale examples of 2FA failing is the recent Reddit one. Back in June, Reddit found that an attacker had compromised several employee accounts through its cloud and source-code hosting providers. At the time, the company had been using basic SMS-based 2FA authentication, whereby users were sent a token via text message that they then entered into the application they were authenticating to. This form of 2FA is simple, cheap, and user-friendly, which is why it’s so widely used; however, the downside is that it’s also extremely vulnerable to SMS intercepts, which was the main attack vector used in the Reddit breach. 

Other Factors to Consider

A device-recognition product can help alleviate some of the inherent vulnerabilities of basic 2FA. These solutions work by registering a user ID to an authentication server. The server and client then use the user ID to generate a new token after a specific time frame. When a user attempts to log into an application, the server checks to see if the generated values match; and if they do, the user is granted access. 

While extra factors may not cater to those looking for maximum speed and convenience, it’s hard to argue against the easy to use, but harder to defeat combo, especially compared to the greater hassle and potential damage of a breach.