It wasn’t too long ago that multi-factor authentication (MFA) was considered the Holy Grail of cybersecurity. More than a few vendors and analysts predicted that MFA would eventually prevent 99 percent of cyber attacks. But here they are. MFA is a standard security tool used by most businesses (and consumers), yet breaches are still happening.
So, what happened? Where did MFA go wrong? And how can managed service providers (MSPs) get the most out of MFA solutions for their clients?
Critical business information
The MFA concept was developed decades ago, but really burst onto the scene 10 years ago when enterprise data started to move out of the data center to third-party Software as a Service (SaaS) platforms. With users’ judgement and their ability to keep their credentials to themselves the only thing between malicious actors and their critical business information, it became clear that usernames and passwords were simply not robust enough anymore.
MFA provided a way to ensure users were who they said they were by requiring two points of authentication
MFA provided a way to ensure users were who they said they were by requiring two points of authentication: the user and a device. The thinking is that it is unlikely that a malicious actor would be able to compromise two separate vector points. They may have a password, but not access to a known device—essentially making it statistically difficult for a bad actor to gain access to an endpoint, network or cloud-based SaaS platform.
Most security solutions
However, like most security solutions, MFA only works if it is used 100 percent of the time and is being used appropriately. Unfortunately, MFA can be disruptive to workflows (having to authenticate every time you log in can be tedious), and users found multiple work-arounds to maintain productivity.
A popular workaround that continues to be used today is sharing authentication. One egregious example is when an engineering team leverages an iPad on a stool in the middle of the office that everyone uses to authenticate. If users think about it, this is ludicrous. There’s no such thing as a shared identity, and it undermines everything that MFA was intended to resolve.
Second authentication method
This would completely mitigate the reason users have a security camera in the first place
Imagine if a home security system relied exclusively on a keypad at the front door to let people in. Yes, users can prevent people without the code from entering home, but users really have no idea who is walking around the living room.
Adding a second authentication method, such as a camera, allows users to make sure the person entering has the right credentials (the code) and is who they say they are. Users would never turn off the camera for ease of access purposes. This would completely mitigate the reason users have a security camera in the first place.
Standard industry insiders
Yet, MFA is rife with under- and misuse—effectively abolishing the protection it is supposed to provide. Couple this with new, sophisticated hacking techniques that malicious actors have developed through the years, and it’s clear that MFA is not living up to the standard industry insiders thought possible 10 years ago.
MSPs have an opportunity and an obligation to help their customers fix their MFA troubles. After all, it’s in users best interest to make sure the clients are as secure as possible. Not only does it help elevate the level of service they are providing, breaches are time consuming and expensive to remediate, lowering the margins considerably. Thankfully, there are a few things that MSPs can do to boost the effectiveness of MFA solutions for their clients.
Implement MFA code timeouts
Hackers would have to act immediately—within seconds in some cases—to gain access
A common hacking technique is to bombard users with MFA login requests to point where MFA fatigue sets in and, in a lapse of judgement, the user enters an MFA code into a false web form. Code in hand, the malicious actor can log in and authenticate without a device or app.
MSPs can prevent MFA fatigue by implementing code timeouts that cause MFA credentials to expire after 30 seconds, one minute or two minutes depending on policies set by an administrator. This doesn’t completely eliminate MFA fatigue as a technique, but it shortens the strike opportunity dramatically. Hackers would have to act immediately—within seconds in some cases—to gain access, which is very difficult and highly unlikely.
Encourage the use of authenticator apps
Another common hacking technique is a man-in-the-middle (MitM) attack where malicious actors redirect MFA codes to their own device rather than the user’s device.
This only works when codes are sent via SMS or text message because the device in the user’s possession is not generating the code. However, a third-party authenticator app generates the MFA code directly on the user’s device, making it impossible to redirect the code to another device. Google and Okta are examples of these third-party authenticator apps that users can mandate to their clients.
Achieve complete visibility and control over MFA activity
MSPs can do this by closely monitoring SaaS platforms and other web applications
Ensuring compliance requires complete visibility and control over MFA activity as well as the ability to trigger actions that stop the attack or mitigate the damage.
MSPs can do this by closely monitoring SaaS platforms and other web applications for suspicious login behavior while maintaining the ability to lock out suspicious users, block data exfiltration or trigger another authentication process. MSPs need to do this perpetually (24 hours a day, 365 days a year), in real time and at scale.
Another authentication process
MFA hasn’t lived up to its lofty expectations, but it is still a powerful security tool for keeping data, applications and users safe from unauthorised logins.
MSPs have a responsibility to improve the effectiveness of their clients’ MFA solutions while also providing a value-added service. It all comes down to visibility and control over MFA activity. Adding monitoring capabilities from SaaS Alerts can proactively identify and automatically lock out suspicious login behaviour and force reauthorisation.
From facial recognition to LiDAR, explore the innovations redefining gaming surveillance
