Multifactor authentication has its limits, but don’t blame the technology
Multifactor authentication is widely regarded as a must-have among cybersecurity professionals and authorities, but it’s not always a quick fix.
Threat actors can still evade and even exploit MFA via phishing or social engineering attacks, as evidenced by the persistent and widespread text-message phishing campaign dubbed Oktapus or Scatter Swine.
Technology companies, telecommunications providers and organizations or individuals linked to cryptocurrency have been targeted since the attacks began in March. The adversary compromised almost 10,000 user credentials across 136 organizations, according to Group-IB, sometimes targeting employees at specific companies once access was gained directly or via third-party vendors.
MFA was weaponized by cybercriminals with social engineering attacks that duped employees into sharing credentials.
“Ultimately, MFA is one small piece of a larger strategy. Relying on MFA alone will not protect your organization from all attacks,” Allie Mellen, senior analyst at Forrester, said via email.
The problem isn’t so much MFA, but rather how organizations implement it. The protective measures of MFA are weakened when organizations fail to buttress it with compensating protective controls and processes.
“Organizations who’ve invested in MFA haven’t always made corresponding investments in better identity proofing and affirmation to provide appropriate levels of trust,” Ant Allan, VP analyst at Gartner, said via email.
Too often organizations follow a “check-box compliance mindset,” assuming the mere application of MFA will meet enough of their needs without considering additional configuration best practices or the enrollment and recovery processes, Allan said.
Federal guidance sets levels of assurance
While sophisticated tactics can improve adversaries’ chances of breaching an intended target, even when MFA is enabled, federal authorities continue to push for broad MFA usage.
The Cybersecurity and Infrastructure Security Agency in June kicked off a “More Than a Password” social media campaign to urge MFA adoption, asserting the increased security afforded by MFA makes organizations and individuals 99% less likely to get hacked.
Likewise, the National Institute of Standards and Technology advises all organizations to use MFA whenever possible. The agency’s “Digital Identity Guidelines” establishes different categories of MFA controls to delineate between various levels of identity assurance:
- Level one includes authenticators bound to a subscriber’s account
- Level two introduces cryptographic techniques
- Level three requires physical keys with cryptographic protocols
Password vulnerabilities can contribute to the weakness of MFA because organizations, in most cases, implement what Allan describes as +1FA wherein they add an additional third-party factor to the password.
“Shifting to passwordless MFA can mitigate those vulnerabilities, but some kinds of phishing, broadly defined, might still be effective,” he said.
Additional layers of defense
Organizations can and should strengthen MFA by combining its use with policy enforcement, training, email security, location awareness, and identity threat detection and response, according to analysts.
“While MFA is a necessary first step, investment in advanced analytics will provide more flexibility and resilience,” Allan said. This approach can help organizations “maximize justified confidence in claimed identities without putting a burden on the user — adding friction only when risk demands it.”
Organizations should also consider transitioning away from authentication codes transmitted via text message.
“Ideally, organizations will move to authentication apps, which provide a better experience for end users and ensure a closed system for authentication that is not reliant on a third party like [text messaging],” Mellen said.
Despite cyberattacks that have engulfed many technology companies of late, Mellen and Allan said organizations shouldn’t hesitate to use MFA.
“Locks can be picked, and doors jimmied, but would you leave your house without locking the front door?” Allan said. “MFA is a best practice” that significantly reduces the risk of account takeover.
Gloss