Multi-factor authentication (MFA) is a vital second layer of defence against password-based attacks, as it makes stealing users credentials so much harder. The reality is, the more difficult you make getting initial access to your data, the more likely that thieves will give up and move on to an easier target. In this second post of our Authentication Series, we explore what MFA is and why it is so helpful to your organisation and its users. You can read the first post in the series here.
As the name implies, multi-factor authentication adds additional layers of authentication into the checking process of proving a user is who they claim:
A method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier.
We are all used to passwords, but additional factors have also become commonplace for accessing online services, such as social media sites sending SMS codes or email codes for users to log in. These additional factors have significantly improved online security and reduced the overall risk of identity theft and privacy breaches. Most MFA solutions fall into one of the following three categories:
Something you know (username and password)
Something you have (a token, such as a USB key, mobile phone or key card)
Something you are (fingerprint, iris scan, facial recognition or another biometric attribute)
Adding an additional level of authentication to any basic username/password combination significantly improves a user’s overall cyber resilience and lessens the likelihood of a threat actor being able to steal their identity. Furthermore, the barrier to entry is significantly lower than ever before, with most PC and mobile operating systems supporting multiple solutions.
This short 2.5 minute video gives an overview of MFA and how it reduces cyber risk exposure
Why we need MFA
In today’s environment of all things digital, cyber criminals have access to more than 15 billion stolen credentials , typically usernames and passwords harvested from years of massive security breaches. If they have one of your credentials, they may be able to assume your identity, your personally identifiable information (PII), to access your bank account, steal healthcare records, or access your organisation’s intellectual property.
Passwords remain ubiquitous as a form of authenticating users, but for some time now they have been acknowledged as the weakest aspect of our systems. In March 2020, Microsoft claimed that 99.9% of account compromises could have been prevented if only the organisation had MFA instead of relying only single factor, password authentication to protect their users.
Attacks are becoming more sophisticated
Password theft is an increasingly evolving attack vector and is usually a precursor to identity theft and fraud. Attackers use a variety of methods to steal passwords.
Brute force attacks
A brute force attack is one of the most common forms of attack, and by far the easiest for hackers. The attacker uses a special program that tries every password combination until they get into the system. If the victim has used what is considered a weak password, it could be seconds or minutes until the brute force attack yields a result.
A dictionary attack is where the attacker uses special software that cycles through commonly used passwords. A brute force attack goes character by character, whereas a dictionary attack uses words and phrases the attacker has collected that are common. Some users pick shorter passwords, and base them on common words. Some take names of pets or relatives, and with hackers building automatic dictionaries based on data they scrape from social media, even these sorts of passwords are now considered weak.
Hackers disguise phishing attacks as unsuspecting emails posing as legitimate services. Disguised in a fraudulent email, hackers entice users to commit their credentials to a fake website, then collect that data for use later in their own attacks.
Almost all password attacks assume hackers don’t already possess your users’ passwords. However, this may not prove true. An under-reported, yet devastating form of attack, credential stuffing, is where hackers use lists of stolen usernames and passwords in combination on various accounts, iterating until they get a match. This attack relies on people’s tendency to reuse passwords across multiple services. Furthermore, hackers often share (or sell) stolen passwords, so breached credentials proliferate quickly amongst threat actors.
Password spraying is where attackers try many accounts at once with a few commonly used weak passwords. If even one user has a weak password the whole business may be at risk. Password spraying can be particularly dangerous for organisations with Single Sign-On or cloud-based authentication portals, as one access to a corporate log in allows access to everything else.
These are small malware programs installed on users’ computers that copy all keystrokes to a file. As the user types their username and password combinations, the keylogger stores them for transmission to the hacker. Even the strongest passwords are not protected against keyloggers.
Despite constant reminders of the importance of password security, users are notoriously bad at creating strong passwords. In fact, studies have found that passwords like “123456”, “password” and “qwerty” are still in the top 10 most commonly used passwords. 80% of breaches involve password theft, either in using stolen credentials or the involvement of brute force attacks. MFA prevents this issue and allows users more flexibility in their choice of password. If users have to verify their identity in multiple ways, a hacker cannot gain access to their systems, even if they know the password. After all, it’s a lot easier to find out someone’s birthday than it is to scan their retina, read their fingerprint, or process the contours of their face.
During the COVID-19 Pandemic we’ve seen a dramatic increase in remote working, both in education and in business. In many cases, this shift appears to be long lasting or permanent. If we look at schools as an example, students using personal devices and less secure Internet connections to access their school’s computer systems introduces an increased level of risk exposure; a hacker only needs to install a keylogger on a user’s machine, given most personal devices do not have the protection a school or business might have. These attacks often go undetected until the hacker has compromised the internal systems
MFA will provide an additional layer of protection for the organisation, without the need to install anything or control anything on a user’s computer. Without the second factor, a hacker cannot access the school, even if they have compromised the username and password.
Other security countermeasures
Antivirus software and advanced firewalls work well in protecting business systems, but they can sometimes leave access tunnels open for employees to log back in should they get disconnected. An attacker may use stolen credentials to gain access through this tunnel by compromising the user’s stolen session credentials, bypassing these other security countermeasures. MFA can prevent attackers from using this vector by forcing a re-authentication each time they reconnect, making sure they always need to present the second factor to log in.
Productivity and flexibility
Many organisations enforce password policies, encouraging users to not only choose long complex passwords, but also change them frequently. This process of password management is cumbersome for users, having to commit to memory an increasing portfolio of complex login credentials.
Forgetting the portfolio of passwords is a common problem for users and organisations; nobody wants to be distracted from the task at hand and no organisation wants to fund the increasing support costs involved in re-setting passwords. MFA allows your users to continue to log in using weaker, less complex and easy to remember passwords. However, combined with those hard to clone attributes like fingerprints or single-use codes generated by an authenticator app, the cyber risk exposure is reduced . MFA minimises support costs and improves the user experience (UX).
There are many laws that require organisations to have strong authentication processes in place, particularly if they handle and store sensitive PII or financial data. This information may be your company’s accounting records or staff and student files. By implementing multi-factor authentication, you can build compliance to identity and access management standards, such as ISO 27001 and government technical security regulatory frameworks. The Australian Government’s ‘Essential Eight’ recommended strategies to mitigate cyber security incidents includes MFA.
Improve your authentication processes
MFA solutions are simple to install and don’t cost the earth. They offer a simple but highly effective mitigation strategy for protecting your users and your organisation from cyber attackers.
How Catalyst can help
Catalyst provides services to implement MFA and Single Sign-On (SSO). Leverage our expertise to help make your environment more streamlined, easier to access and cost effective to manage.