Multi-factor authentication (MFA): A foundational cyber defense for organizations

This blog is part of the Cybersecurity Tech Accord’s ongoing efforts to advance responsible cyber hygiene in accordance with our commitment to the principles of the Paris Call for Trust and Security in Cyberspace. 

Experts consider multi-factor authentication (MFA) to be foundational in establishing a strong cybersecurity posture in today’s threat environment. Unfortunately, the vast majority of successful cyberattacks still result from basic email compromise. In fact, the security team at Google asserted that MFA can prevent over 95% of bulk phishing attempts and over 75% of targeted attacks. Similarly, researchers at Microsoft found that this method can prevent 99.9% of all automated cyberattacks. While there are many important practices for improving cybersecurity, utilizing MFA is perhaps the single most effective step organizations and individuals can take to protect themselves from today’s threats. 

Therefore, as a final entry in our current series on cyber hygiene, the Cybersecurity Tech Accord is highlighting the importance of MFA and how organizations can apply this method to protect users online. 

What is MFA 

MFA is not a complicated concept. In fact, it’s right in the name. It is an authentication method that requires a user to present more than one (multiple) verification type – such as a password along with an additional element – in order to gain access to a system. A common example of MFA is using a bank card, where in most cases you need both a card and PIN-number to clear an ATM transaction.  

These “elements” of verification are typically categorized into three different classifications:  

  • Knowledge-based: Things only the user knows, such as a password or a PIN;  
  • Biometric: Things that are a part of a user, like fingerprints, retinas, or voice recognition; and  
  • Possessions: Things that only the users have, such as a badge or a phone.  

When gaining access requires more than one of these elements, users are protected even when one is compromised. Digital services are increasingly incorporating additional protections to prevent cyberattacks, often providing users a window of opportunity to authenticate or confirm things like the location of an attempted login from an unrecognized IP address, which may get flagged as suspicious activity.  

How does MFA prevent attacks? 

MFA makes cyberattacks much harder to deploy as many of the most common attack methods rely on bad actors obtaining a user’s credentials. For example, phishing attacks may attempt to trick users into entering their login information on a fake website. And, with the installation of keystroke logging software on a user’s computer, attackers can easily capture usernames and passwords. In other common examples, like password spraying and other brute force attacks, attackers simply test the most common passwords across a number of accounts until they gain entry. However, with MFA in place, despite bad actors successfully acquiring a user’s login credentials, or guessing them, requiring a second verification, like biometrics, to authenticate a login suddenly creates a substantial barrier to entry and stops cyber criminals in their tracks. 

Why use MFA?  

It’s no surprise that data breaches are costly. Companies that don’t keep their data secure risk the impact of dealing with recovery costs, brand damage, lawyer fees and potential lawsuits. For large corporations, a data breach can cost upwards of $2 billion or more in damages. Given some of the most notable security breaches that companies have faced in the past year, investing in technology and procedures like MFA to protect customer data is well worth the protection cost.  

Is MFA a cybersecurity silver bullet? 

No. MFA is not a silver bullet when it comes to cybersecurity! There is no single solution to combatting online threats. Strong cybersecurity practices result from diligently keeping up with the current threat landscape and employing a series of sound habits. Unfortunately, persistent thread actors can still find weak points.  

For example, there has been a substantial increase in mobile phone-based authentication in recent years, where users are sent a one-time SMS code after inputting login credentials. Although this is a popular method of MFA, mobile phones can be cloned, stolen or replaced to circumvent this. Last year, The New York Times exposed a tactic called “SIM swapping,” where an attacker bribes a mobile carrier employee to switch the number associated with a SIM card to another mobile device – for as little as $100. This type of account takeover targets a weakness in two-fact authentication to potentially give hackers and scammers the keys to user’s online accounts if they can intercept the one-time SMS code verification. 

How do I protect users online? 

While MFA is not perfect, the majority of attackers who encounter MFA protections will move on to their next target rather than invest the time needed to try and bypass it. In order to further discourage would-be hackers, here are some useful best practices to help organizations and users stay vigilant online: 

  1. Implement MFA across an entire organization. Rolling out MFA at scale may not always be straightforward, however the goal should be to enable it for all users on all your systems, all the time. This includes all company devices, data, applications and the network.  
     
  1. Make MFA easier on employees. Activating MFA will always be an extra step for users. Therefore, providing alternative MFA options that best suit their needs will help eliminate some of that friction and create a more positive experience. It’s worth investing in solutions that allow the option for different methods of authentication such as tokens, text messages, phone calls, and/or biometrics. 
  1. Set up cloud Identity and Access Management (IAM). IAM systems are an effective way for cloud-based enterprises to manage the roles and access privileges of individual network users through a single, centralized resource. This enables admins to proactively monitor online activity and identify suspicious behavior. 
      
  1. Layer your security controls. As explained above, MFA can still be defeated by a determined attacker with the right resources. While MFA is an important foundational step toward securing systems, it should be considered one of several measures an organization implements rather than the only security measure. Layering additional security controls may include methods such as disabling legacy email protocols and enabling conditional access policies. 

To learn more about other good cyber hygiene practices, visit the Cybersecurity Tech Accord introduction to Domain-based Message Authentication, Reporting & Conformance (DMARC), Domain Name Security (DNS), and Mutually Agreed Norms for Routing Security (MANRS)