Key takeaways on whether MFA is enough:

  • Employees will always opt for the path of least resistance when it comes to user experience. The tokens, security keys and one-time passcodes commonly used in MFA are high friction, putting many employees off using the tool.
  • MFA isn’t foolproof, it can be bypassed and there are vulnerabilities available for malicious parties to exploit. Crucially, it doesn’t take into account the wider context of an access request, such as an access request from overseas, at an unusual time, or from an untrusted device.

For a long time, we’ve known that single-factor authentication fails to adequately protect applications. The most common way user accounts get compromised is from weak, reused or stolen login credentials, and despite pretty much every security awareness course clearly stating the deficiencies of password reuse, people still do it because it’s the easiest option. We only need to turn to the news to see plenty of stories about account takeovers and login credentials being leaked with Twitter CEO Jack Dorsey’s being amongst the most prominent.

When you take into account an NCSC analysis of breached passwords, it gives you an idea of how little people consider their password choices. 

Aside from rampant password reuse and poor choices, there are fundamental issues with a credential-centric approach. It is also possible to simply guess credentials via brute force attacks, which employ a trial-and-error approach to search for passwords. Credentials can also be stolen via man-in-the-middle attacks. Hence, IT teams have had to intervene with 57% of organizations implementing Multi-Factor Authentication (MFA). 

MFA is one of the best defenses against the majority of password-related attacks, including credential stuffing, password spraying, or brute force attacks, Microsoft claims that MFA stops 99.9% of attacks. It has become a baseline security requirement for securing cloud services, so much so that some SaaS vendors like MailChimp offer a discount for customers who enable it. However, MFA is by no means the silver bullet it has been marketed as.

Multi-Factor Authentication (MFA) Considerations

Despite MFA becoming part of mainstream security practices, it’s important to be aware of the practical and technical problems that come in tow.  

Security issues

Cybersecurity and Infrastructure Security Agency (CISA) released a report highlighting how attackers managed to sign-in to cloud services accounts that had proper MFA implementations. CISA witnessed a number of attack vectors being used to compromise MFA. Understanding how MFA can be compromised is important in how you develop your security strategy. 

Token interception

The robustness of MFA is largely determined by the type of out-of-band authenticator used; OWASP outlines a number of options including the strengths and weaknesses of each deployment type. Ultimately, you need to be cognizant of the fact that if an attacker can get their hands on an authentication set, MFA becomes ineffective. 

SMS is commonly deployed by businesses and CSPs because it’s cheap and easy to rollout; everyone has a phone and there’s no additional hardware required. However, as a second-factor authenticator, it is susceptible to attack, so much so that NIST has advocated deprecating SMS as an out-of-band authenticator for secure authentication mechanisms. The FBI has made similar comments due to seeing a rise in sim swapping, online pages able to handle MFA operations and transparent proxies like Muraen and NecroBrowser.

While hardware-based tokens are more secure than SMS and software-based tokens, they still can be intercepted. We’ve seen plenty of cases in the wild of fake login pages mimicking MFA making hardware-based tokens vulnerable to real-time man-in-the-middle attacks. Time-based One Time Passwords (TOTP) limit the effectiveness of token interception, but this mechanism still has its frailties. 

Failure to consider context

Companies of all sizes are moving away from the traditional perimeter-based approach to security to Zero Trust, in fact, robust identity verification is the start of Zero Trust initiatives for many businesses. Zero Trust is a long-term approach to security that can’t be achieved with a sole focus on user identity, it needs to consider the broader context of an access request.

Just because someone is able to prove they are who they say they are, it shouldn’t vouch for other areas of risk such as device health, location, the application they want to access. The use of risk-aware access controls is particularly pertinent in remote working environments where employees are connecting from COPE or BYOD devices on and off the corporate network using smartphones, tablets, PCs, and laptops, often on multiple platforms. 

End-user experience

MFA seems like a perfect solution from a security perspective to mitigate weak passwords – add in another authentication factor to more accurately verify user identity – however, it introduces friction into the sign-in process. From a user perspective, the fewer steps you’re prompted to complete, the better, but that’s exactly what MFA is not. 

Waiting for a second factor is annoying, you have to wait for the token to be sent or get the relevant piece of hardware, and doing this for multiple applications a day is bothersome. It’s further exacerbated when remote working, VPNs are notoriously unreliable and a broken connection can mean having to reauthenticate several times. 

End users want a simple access process, not necessarily the most secure; they also want to access corporate services on their own terms. Getting stakeholder perspectives and buy-in for MFA projects is important. If you want to pursue an SMS or software-based token, does everyone have a corporate device, if not, are employees comfortable receiving this on their personal device? If you’re looking at hardware-based, can you afford to provide every employee with a device? Do employees want to carry around another device? Probably not.

There’s an example given in a Medium article of how a user had set up a webcam to show their RSA token so they didn’t have to carry the device with them:

MFA Tokens

If people don’t want to do something, they’ll find creative ways to circumvent the process or start using unsanctioned services to get around the headache of MFA.

Legacy authentication

For MFA to work, you need to block legacy authentication. Legacy authentication protocols like POP, SMTP, IMAP and MAPI can’t enforce MFA, making them preferred entry points for attacks on your organization. Microsoft produced some research on legacy authentication traffic for Azure AD:

  • More than 99% of password spray attacks use legacy authentication protocols
  • More than 97% of credential stuffing attacks use legacy authentication
  • AAD account sign organizations that disable legacy authentication experience 67% fewer compromises than those where legacy authentication is enable

Next Steps

The next stage of Zero Trust is about layering in context-based policies. This means getting rich signals about the user’s context – who they are? Are they in a risky user group? Application context, device context, location and network, and applying access policies based on the information gathered. 

MFA is an important part of organizational security, but it by no means a destination. Distributed infrastructure, devices, and users mean that increased security controls need to be put in place, and user identity isn’t enough to ensure security.