Read just about any well-researched list of cybersecurity best practices, and you’re guaranteed to come across multi-factor authentication (MFA)—and for a good reason.
According to the 2020 Verizon Data Breach Investigations Report (DBIR), 67 percent of breaches are caused by credential theft, errors, and social attacks, and 37 percent of credential theft breaches use stolen or weak credentials.
Multi-factor authentication can effectively prevent credential theft breaches by requiring two or more pieces of evidence to be provided during the authentication process.
However, if implemented incorrectly, it can also create a false sense of security, which is why it’s paramount to avoid the common multi-factor authentication mistakes described below.
What’s Wrong with MFA?
There’s nothing wrong with going beyond basic username and password protection. In fact, MFA can effectively protect against most credential theft breaches without negatively affecting productivity. In 2020, Microsoft reported that 99.9% of the compromised accounts they track every month didn’t use MFA.
The problem is that MFA can be implemented in lots of different ways, depending on the used authentication factors, which can be:
- Something you know: Any unique piece of information that others can’t easily guess, such as answers to secret questions and PINs.
- Something you have: Examples include digital certificates and physical tokens that generate a secret code that basically acts as a one-time PIN.
- Something you are: All kinds of biometrics, from a fingerprint to patterns on a person’s retina blood, can be used to uniquely identify a specific person.
Unfortunately, not all MFA implementations are equally secure, and some may even cause end-users and the entire organization more harm than good.
Such implementations are often the results of cutting corners and not being familiar with advanced techniques used by cybercriminals during credential theft breaches. The good news is that avoiding them is as easy as keeping in mind the below-listed common multi-factor authentication mistakes.
Mistake 1: Not Enabling MFA Whenever Possible
Having to provide one or more extra pieces of evidence during the authentication process costs employees valuable time, but that’s a very small price to pay for enhanced protection against data breaches and other cyber threats.
One of the biggest mistakes an organization can make is implementing multi-factor authentication in silos, which is akin to installing an extra lock on your front door while leaving your back door wide open. The moment an attacker finds a way into your network, you’re screwed, and it doesn’t matter if the entry point was a cloud application or an outdated piece of software running on your local server.
As such, we highly recommend you enable MFA across all cloud and on-premises applications for end and privileged users alike.
Mistake 2: Failing to Take Advantage of Adaptive MFA
Just because you enable MFA everywhere doesn’t mean that users have to provide two or more pieces of evidence during each and every authentication attempt.
Modern adaptive MFA solutions can achieve the perfect balance between security and customer experience by analyzing various location-, device-, network-, and password-based signals of risk to stay out of your way until risk is detected.
Thanks to adaptive MFA, users who are logging in during the same time of the day from the same IP address, the same location, and the same device can go through a simple authentication process than someone attempting to access a protected resource from an unknown remote location using a device that has never been authorized before.
Mistake 3: Using Text Messages to Authenticate
Although any form of MFA provides superior protection compared with authentication systems that rely solely on usernames and passwords, experts agree that text messages should be used as the last option.
Why? Because cybercriminals are now successfully using mobile phishing and SIM swapping techniques to steal SMS authentication codes.
These techniques boil down to hackers calling the victim’s phone carrier and applying social engineering tactics to convince the company to redirect all text messages to a different SIM card. The latest Europol Internet Organised Crime Threat Assessment identified them as the key cyber threat that’s currently on the rise.
This February, a gang of 8 criminals was finally arrested after stealing over $100 million in cryptocurrencies by hijacking phone numbers, and that’s just one recent example of the potential consequences of using text messages to authenticate login attempts.
If at all possible, use mobile authenticator apps like Google Authenticator, Microsoft Authenticator, or Authy instead.
Let Us Help You Avoid These Multi-Factor Authentication Mistakes
Multi-factor authentication can instantly enhance the cybersecurity posture of any organization, but it must be implemented well.
It’s also important to realize that MFA is just one of many cybersecurity best practices—not a silver bullet. Organizations that put too much faith in MFA often neglect other essential cybersecurity defenses, such as intrusion detection, endpoint protection, network access control, and data loss protection, just to give a few examples.
At OSIbeyond, we have a wealth of experience with all forms of MFA and other cybersecurity best practices and know how to avoid all common mistakes during their implementation. Contact us to learn more about multi-factor authentication and its benefits for your organization.