In this multi-part series, we’ll look at what organizations can do to better improve corporate security as part of October’s Cybersecurity Awareness Month. In this blog, our focus is on multi-factor authentication (MFA).
Believe it or not, computers in the old days didn’t even require passwords to get in. The threat wasn’t obvious since computers weren’t everywhere so when you powered a computer on and it was done booting, you’d just use it as needed. Once computers became common in the workplace and different folks had physical access to a computer, the user and password pairing was born. Still, some people, just like they do today, would just write the password on a Post-it Note and call it a day. Many people used ‘password’ or ‘12345’ as their password. The password has evolved and today most systems require a minimum of 8 characters including a number, a capitalized letter, and a special character, which make them harder to guess if you haven’t written it down.
Are passwords perfect now?
Nope. According to various studies, 81% of breaches are caused by poorly-chosen passwords. According to a CNET report in 2020, hackers have published as many as 555 million stolen passwords on the dark web since 2017. When you consider that many people use the same password or a variation of a single password, you can see how poor passwords and password-related practices continue to lead to breaches.
So, what can be done?
Enabling MFA is a start. Multi-factor authentication, sometimes referred as Two-Factor Authentication (2FA), comes in different flavors and not all are built equally. MFA can mean two passwords to two different Microsoft Active Directory (AD) servers, but this is rarely used. The most common is credentials (username/password) with a token. RSA and Google Authenticator are a couple of the more popular token app options. These tokens are multi-digit, one-time, and are short-lived, making them hard to guess and even if shared, as there is a short window where they are valid. The other method is a push notification to a different device. The MFA software is usually installed on a mobile phone and when trying to log in from a laptop, the user is prompted to acknowledge the access request and accept the request in a timely manner. The username/password would be something that the user knows, and the one-time, time-based token is something they have. This makes it harder, but not impossible, to steal.
As a best practice, do not use SMS (Short Message Service), also known as text messages, to deliver the numeric tokens. Attackers have increasingly been using SIM hijacking to intercept a mobile phone number and redirect the message to a SIM of their choosing.
In conclusion, MFA alone is not enough as we’ve seen with the latest MFA phishing attacks. Making sure you pair MFA with device trust (i.e., device-identity and device posture) compliance prior to access would drastically deter attacks.
Read our blog on the topic to learn a bit more about why MFA isn’t enough.
Stay tuned for Part 3 in our series.