Once upon a time, a username and a password were all you needed to get into most online accounts. It was convenient for users — but also convenient for hackers, who only had to acquire two static strings of characters to get unlimited access to a system until their victim (or their victim’s IT department) realized something was up.
That’s why multifactor authentication (MFA) took off as quickly as it did. For the relatively small price of one extra step in the login process, bad actors had a much harder time gaining access to secured systems. As more and more organizations have moved to the cloud, the sophistication of cyber attacks has grown and threat actors have found means to circumvent MFA defenses or even to subvert the way they’re implemented.
Your organization needs to understand why MFA isn’t enough and what other means it should take to protect itself.
What is multifactor authentication?
Multifactor authentication is a form of securing accounts that requires users to prove their identity across multiple steps. Organizations often use MFA in combination with single sign-on (SSO) systems to ensure a consistent level of security while reducing the need for wide arrays of credentials and sign-in screens.
But how does multifactor authentication work? An MFA sign-in typically begins with the traditional username and password combo. Once these have been provided, an MFA system requires that user to prove they have access to something only they would possess. In the early days of MFA, this often meant inputting the code displayed on a physical token, such as a key fob. As smartphones became more ubiquitous, MFA systems also began supporting dedicated authenticator apps, as well as codes sent via email and SMS.
Since MFA codes typically only last for a few minutes and the seed used to generate them is only known to the secured system and its paired authentication device, it’s hard for anyone but the authorized user to gain access. So, is multifactor authentication effective? Yes — but only to a certain extent.
Why multifactor authentication shouldn’t be your only defense
One obvious point of failure for an MFA system is that the seeds used to generate its codes can be compromised. That has happened before, yet it doesn’t take a high-profile hack to put MFA-secured accounts at risk. Other means of ingress are much more accessible to a typical threat actor.
Social engineering
Without proper training and automated monitoring, the members of your organization are likely to be the weakest point of MFA security. Cyber attackers may target them for social engineering attacks, where they impersonate members of your organization to ask for the credentials and codes they need to log in.
These types of attacks come with a range of sophistication: one could be as simple as a text message from an unknown number, while another could be as intricate as an official-looking email that links to a spoofed login page.
MFA fatigue attacks
Where traditional social engineering attacks use cover identities and social pressure to target legitimate users, MFA fatigue attacks simply overwhelm them. Since many MFA systems send push notifications, emails, or text messages to let users verify their identity with a single click, attackers may be able to make the system send those messages over and over again.
While a user would likely ignore one errant authentication message, they’re much more likely to think a continuous stream of alerts is the result of a glitch — and the easiest way to stop all those annoying notifications is to just click “OK.” One moment of user fatigue may be all a cyber attacker needs to get into a network protected solely by MFA.
Targeting backup authentication methods
Let’s say an MFA system’s primary method of authentication is the biometric info on a user’s smartphone. That’s pretty secure! But phones get lost or lose their charge; backup methods must also be available to allow users to do their work without interruption. Those backup methods, such as codes sent to relatively unsecured external email addresses, may be easier to crack.
Savvy threat actors know they don’t need to overcome the strongest point in your security perimeter to gain access; they just need to find the weak spot. That’s why multifactor authentication must be supplemented with other security methods.
What to use in addition to MFA
Fortunately, you have many options to strengthen your security posture that can work in conjunction with MFA to cover its weaknesses while expanding on its strengths. Here are just a few:
Zero trust architecture
The rise of cloud-based work and data storage brings added complexities in determining who can access what and when. Zero trust architecture is an effective baseline for this model of work because it assumes any given login may be compromised.
By looking for known factors, such as established IP addresses and familiar login locations (often called adaptive authentication), and requiring users to log back in after each session, zero trust architecture significantly reduces the potential exposure from one compromised login attempt.
EDR
Even with zero trust architecture in place, a threat actor may be able to access your systems for a brief window before they need to re-authenticate — and that window may be all they need to plant ransomware or exfiltrate valuable data. Endpoint detection and response (EDR) security continuously monitors each user within your cloud for signs of suspicious activity to prevent these kinds of actions in the moment.
For example, consider a user who typically logs in from home to access a productivity suite. If they sign in from a different region and try to download the contents of a user registration database, the EDR could automatically flag that activity as suspicious and restrict the user’s access.
Mobile endpoint security
If your organization is one of the many to embrace hybrid work or bring-your-own-device (BYOD) policies, you can’t stop at securing laptops and servers. While allowing employees to use mobile devices empowers them to be more efficient and proactive, it also opens your organization up to a broad array of potential new threats.
One way to address those threats is with Lookout Mobile Endpoint Security. It uses the world’s largest AI-driven mobile security dataset to give your organization peerless visibility into and protection from mobile threats. With more than 350 million apps ingested and analyzed for risky behavior and other potential issues, Lookout proves that comprehensive mobile endpoint security is an essential way to protect your organization’s modern workflows.
If you’d like to learn more about how organizations are going beyond MFA to protect their assets, watch our webinar, Understanding the Modern Kill Chain To Keep Data Secure in 2024, today.
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.
Understanding the Modern Kill Chain To Keep Data Secure in 2024
Join this session to learn about the evolution of the kill chain and the steps you can take to protect your data in 2024.
Explore resources by topic
Subscribe
Sign-up for the latest Lookout news and threat research
