Increased adoption of MFA is a good thing for cybersecurity, especially as remote work grows in popularity – and preference – but humans remain the weakest link.
As a criminal deterrent, multi-factor authentication (MFA) has been around for over a decade and its effectiveness has been well documented. And yet many organizations have been slow to embrace it. As more security teams accept the role stolen user credentials play in most breaches (61% of breaches last year involved credentials) and WFH policies drive demand for greater access controls, 2021 is poised to be the year MFA adoption surges upward.
While successful MFA deployment looks different for every organization, there are two variables that remain constant throughout:
-
Every method of authentication can be manipulated by attackers.
-
The wealth of user credentials available on the dark web makes bypassing MFA controls much easier for attackers.
Every method of authentication can be manipulated by attackers.
The wealth of user credentials available on the dark web makes bypassing MFA controls much easier for attackers.
According to the LastPass 2020 State of the Password Security Report, only 57% of businesses globally were using MFA. This is primarily because of the costs associated with implementing and maintaining it, coupled with user resistance. Requiring people to provide a username and password along with a PIN, biometric fingerprint or face scan before logging onto services is widely perceived as a nuisance. But let’s be honest, the pleasures of WFH far outweigh any inconvenience caused by MFA.
Prior to the pandemic, roughly half of companies around the world had remote working capabilities. Post-pandemic, however, PwC predicts remote working will soon be the norm for close to 80% of all companies globally. Our own study found that 90% of companies plan to continue WFH capabilities. Remote working means increased reliance on the cloud to access business applications and data from anywhere, which means more passwords for employees to manage, often very poorly. Hence, the greater need for MFA.
It’s estimated that roughly 70% of companies are still password-centric. At the same time, an analysis of breach data recaptured in 2020 revealed that, of the users who had more than one password stolen last year, 60% were reusing passwords across multiple accounts. Reusing passwords is one of the 3 bad habits that make employees vulnerable to password spraying, a technique during which an attacker picks a common and easy-to-guess password and runs through a long list of usernames until they get a hit. Passwords are like keys – once inside, lots of other doors can be opened with minimal effort, including those guarded by MFA. Because even today’s most unsophisticated attackers are armed with a multitude of MFA bypass techniques.
Security professionals have seen attackers figure out numerous ways to get around things like one-time passwords (OTPs) and even SMS-based OTPs. These were supposed to be more secure because, while criminals might have your passwords, they probably don’t have your actual mobile device. The rise of SIM swapping attacks has disproved that theory. Attackers can simply call your mobile operator and trick them into adding a new SIM card to the victim’s account and activating it without the owner’s involvement.
If anything, this proves that MFA alone is not stopping attackers. It needs backup, which brings us back to the one thing within an organization’s power: knowing which of your user’s credentials have been compromised elsewhere. Your MFA implementation needs to be supported by continuous monitoring for exposed credentials. The ability to be alerted when accounts are compromised early in the breach lifecycle (before criminals can exploit them for all manner of MFA bypass techniques) ensures you get the most out of your MFA investment.
Download MFA Bypass 101 for insights into how bad actors combine attack methods and stolen credentials to sidestep multi-factor authentication.
