Is Multi-Factor Authentication being defeated?
FBI issues a new cyber attack warning, writes Zak Doffman for Forbes Media, October 7, 2019. Until now Multi-Factor Authentication has been considered the top defense against similar cyberattacks. Even Microsoft states that they block 99% of enterprise account hacks. To learn more about this, we asked Truesecs identity guru Hasain Alshakarti to clerify a few things.
Hasain, you are always up do date with the latest security issues. Is Multi-Factor Authentication (MFA) really outdated?
No, attackers will try to find an easier path to the target when the authentication method is hardened with MFA. They will effectively bypass the hardened attack surface by targeting the user using other methods.
What’s your opinion about MFA? Pros and cons?
MFA effectively prevents a large number of password related attacks making it virtually impossible to abuse user credentials without user interaction. Phishing, spear phishing, keyloggers, credential stuffing, brute force, and other attacks gets more difficult to impossible to perform as MFA adds additional layers of security.
The main difficulties with MFA are the need of yet another device, application or other sensors as well as the added cost of these components. Furthermore, organisations with multiple types of users will most often be forced to use a combination of methods to provide MFA to different types of users.
When evaluating the user experience we often find users describing MFA as bothersome and unfriendly due to the added number of factors required to perform and authentication.
What’s your key taking from FBI’s warning?
MFA is just one layer of security and we need to work with different layers to provide prevention against highly sophisticated and persistent cyber-attacks. Another important action is to secure all possible access methods with MFA or equivalent protections.
How do you work with clients to implement MFAs or similar identity solutions?
Different needs requires different solutions and we know that using risk detection to trigger additional MFA factors is a very effective method to make MFA less bothersome. The dynamic model helps to educate the users to understands risky behaviors as well as making MFA more friendly with a high level of security and ability to detect attacks. It’s important to understand the requirements together with our clients and evaluate the different options to find the best working combinations of security and user friendliness.
Thank you so much for your answers and sharing your knowledge, Hasain!
If you’d like to learn how to protect users from themselves, hackers, phishing and other nasty things – Hasain will show you how to do it with Microsoft 365 at Truesec Infrastructure Summit 2019!
Or get in contact with Truesec for more information on suitable solutions.
Interview by: Jenny Gustafsson, Head of Communications på Truesec.