Multi-factor authentication (MFA) solutions are not new to data security. Already decades in use, MFA adoption became more commonplace post-pandemic thanks to remote work conditions. While companies like Google and Microsoft have claimed how MFA blocks all but .01% of account abuse attacks, the sad truth is that MFA is far from perfect, and attacks are on the rise.
Verizon research pegs 82% of all cyberattacks on human error (stolen credentials, phishing, misuse). Attackers need some level of human involvement to circumvent MFA controls. Phishing and social engineering tactics help distract users while different techniques are employed to hack MFA defenses.
MFA only makes sense if it is resilient against bypassing and hacking; otherwise, why would anyone enable MFA to only get mildly better protection? Here are three best practices that can help.
1. Deploy phishing-resistant MFA if possible.
The U.S. government has been mandating all federal agencies to use “phishing-resistant” MFA. This means organizations must steer clear of any MFA technology that can easily be phished (such as one-time passcodes, SMS text messages, dynamic codes and push notifications). The strongest forms of MFA are based on the FIDO2 framework that allows users to unlock access to resources using fingerprint readers, cameras and other device-level/hardware security checks on their devices. Since credentials don’t leave a user’s device and are not stored anywhere, it eliminates the risk of phishing and credential theft.
2. Make existing phishable MFA solutions less phishable.
There are a number of things organizations can do to make their current MFA less phishable. This includes adding more information and context to user logins since most MFA solutions oversimplify (via simple allow/reject buttons) instead of displaying more context so that users can be more assured of what they are logging into. This can include things like device name, global ID and device location. MFA solutions must also be tied to specific URLs, devices and hosts, so if a MitM attack is involved, the solution will not allow access to the resource.
Additionally, ensure MFA is built using NIST-approved (or FIPS-validated) cryptography. These are time-tested, publicly reviewed protocols; there is no need for people to invent their own cryptography. Further, stop allowing an easy reset of credentials when MFA is not working—the recovery and bypass process must instead be rigorous. Finally, ensure that anything like a session cookie, security token or a seed value expires in less than 24 hours.
3. Improve security awareness around MFA.
The core foundation of any security strategy is mitigating the root causes of threats. For example, ransomware is not the problem; more worrisome is how ransomware got in. Similarly, in the case of MFA attacks, phishing is the key root cause that needs to be addressed. No matter how strong your MFA solution is, all stakeholders must understand the strengths and weaknesses of MFA and how hackers exploit users to bypass MFA defenses. Employees must be trained to spot and report unusual activity; they must especially be careful with push notifications and login attempts they’re not directly involved with. Additionally, they should use unique, 20-character passwords to avoid credential theft.
Always opt for a defense-in-depth approach. Eliminate the risks associated with standard MFA by deploying one based on FIDO2. Ensure employees are awareness-trained to identify a cyber threat masquerading as an MFA request.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Follow me on Twitter or LinkedIn. Check out my website.
Stu Sjouwerman
Stu Sjouwerman is the founder and CEO of KnowBe4 Inc., a security awareness training and simulated phishing platform. Read Stu Sjouwerman’s full executive profile here.
Forbes, August 11, 2022