BLUF: Enforcing multi-factor authentication is a no-brainer! Nearly every application supports it. Your employees are used to entering these codes by now. And it is the number one way to prevent an incident that involves stolen credentials.
At a minimum, companies are expected to use multiple factors of authentication to protect their corporate accounts. Need another reason? Blackpanda investigates data breaches caused by account compromise each and every week.
What does MFA help me achieve?
In short, MFA helps prevent attackers from accessing your network and resources using someone else's credentials.
Have you ever accidentally sent a text message to the wrong person? Well, imagine if someone hacked into your account and started sending messages pretending to be you. They could embarrass you by sending phishing links or inappropriate emails to your boss, your employees, or your top paying clients! With MFA, even if they guess your password, they won't be able to log in without the second factor, like a one-time password or fingerprint scan. So, save yourself from the embarrassment and enable MFA today!
Summary of steps to implement this today:
- Require MFA for all accounts (examples for O365, Linux, Google)
- Increase logging on authentication attempts
- Require the use of an authenticator app instead of SMS as the second factor
- Provide training to employees on passwords
MFA is very easy to implement these days
The majority of enterprise SaaS applications support MFA. As mentioned in the article on password security, Passwordless Authentication may one day be a standard…. But in no way does this replace the second factor method you need to implement right now. Protect user accounts from recycling, cracking, and brute force with an application based one-time code.
Where do I need to implement MFA?
The most important place to require MFA is when a user logs in to an application. But did you know you can require it for individual actions too?
Depending on the functionality of the app, you can require the user input their second factor to make significant changes. Sensitive actions can cause damage when carried out by the wrong person. So to verify e person making this change require MFA for:
- Changing the permissions to a file or server
- Changing passwords or security questions
- Changing information like the email address associated with an account
- Disabling MFA
- Setting or deleting a mail forwarding rule
- Elevating a user session to an administrative session
SMS based authentication is vulnerable
Text messages (SMS) are not secure as a second factor of authentication. What is commonly called a SIM swapping attack happens when someone calls the phone company to replace the SIM card on file with their own. All phone numbers must have two identifiers - one for the hardware (IMEI) and one for the phone number (ISMI). Your ISMI is attached to your SIM card.
When you lose a phone or change phone companies, you call your provider to make changes to the updated SIM card associated with your account. By pretending to be you, an attacker will get your phone number “ported” over to their own phone. Meaning that any text messages bound for you are now going to the attacker’s inbox instead.
Attackers can easily obtain those few bits of personal info from the open internet. For example, the street you grew up on may be in public records, your pet’s Instagram account shows their name, posting your High School on Facebook makes it easy to guess your school mascot. Once they collect enough information, the attacker can verify your identity to the phone company and take over your SIM card.
Biometrics have been spoofed
Biometrics across consumer devices may not be as secure as you think. Hackers have been spoofing fingerprint readers on the iPhone using a warm Gummy Bear since Defcon in 2015. Similarly, attackers bypassed the popular Windows Hello fingerprint reader protocol. Using these as the second factor on corporate devices should be strongly vetted before adoption.
Isn’t everyone adopting Passwordless Authentication?
Some say yes. But you will still need MFA! There is a movement to replace the password that Bill Gates famously pitched 19 years ago. See Bill Gate’s predictions from 2004. In the past few years many leading technology firms promised to move away from passwords altogether with a new, non-text based mode of authentication.
Removing a password from the authentication, essentially, requires you use some other factor to prove your identity; something you have or something you are.Your ability to approve a login from another device that is already signed in still depends on that device submitting a password plus an MFA code, in most cases.
Google calls their Passwordless Authentication mechanism a Pass Key. The Pass Key allows users of Google Chrome to present something they have instead of something they know. So instead of remembering, or having your password manager remember, your complicated password you can open an alert on your laptop, your phone, or another already authenticated device. When you sign into a Chrome Browser this will show that you are in possession of a device that has already been authenticated.