In 2019, Microsoft went on record saying that a simple tool like multi-factor authentication can mitigate 99.9% of attacks. With something like that, it’s clear that MSPs shouldn’t be seeing multi-factor authentication (MFA) as a catchall security tool, but rather a standard method for defence against any data breaches. Here is what’s needed to know about MFA and how it can help MSPs.
How MFA Functions
As the name suggests, for anyone to gain access to an account, the user must identify themselves through multiple pieces of evidence. There are several combinations that users can choose to identify themselves, including:
- Knowledge – something that only that user knows. Examples are a PIN, a passphrase, an answer to a personal question (first pet, mother’s maiden name, first car)
- Possession – something that only that user has. Examples are a smart key that generates a random number or a one-time use password
- Inherence – something that the user is. An example is biometric IDs, a scan of their eye, a fingerprint, or voice activation
When two factors from that are used, this is referred to as “2FA” or two-factor authentication. This is different from 2-step verification as 2FA again requires two of the above. An example is a password and inputting a code that’s sent to the user’s phone.
Overall, an ideal MFA should always be using independent factors. A password to access a computer shouldn’t have the same password that is needed to retrieve a one-time password from a mobile device. MFA systems can also be strengthened further through embedded geolocations and device signatures.
MFA Adoption Rate
Due to recent data breaches, MFA is slowly being implemented as a means of tying up loose ends left behind. According to a LastPass survey, about 57% of enterprise clients across the globe have MFA implemented. In 2021, only 45% had implemented, resulting in a 12% growth.
The pandemic also influenced this too as more people were working from home and this brought further security risks. Those factors and the following two resulted in a larger adoption rate:
- A rise of biometrics popularity: Biometrics are everywhere now and most notably is fingerprints on smartphones as a means of authentication. Beyond that, the imaging capability of consumer electronics and blockchain technology have brought biometrics to higher levels.
- A surge of authentication apps: The other factor is how many authentication apps are available now. There is better integration and built-in security from these apps which brought further adoption to this technology. Apps today increase consumer confidence, especially if recovery options are hassle-free.
Hackers Can Still Crack Them
Even though Microsoft has said these factors are very secure, there is still a small possibility of them failing. MFA is not an impenetrable fortress and hackers can work around them. After all, MFA in the end is only a combination of single-authentication methods and hackers can target one of those methods directly.
Some common scenarios that hackers can go through are:
- Brute force attacks: Hackers will use common passwords with random user IDs. This is especially problematic for MFA as MFA doesn’t lock people out but rather slows down the repeated login attempts instead. Single-authentication systems lock out users after a certain number of attempts.
- Biometrics thefts: Biometrics should be handled with caution as this data is often stored on multiple machines over the cloud. Because the cloud is more publicly accessible, hackers could have a chance of grabbing that data and recreating biometric scans themselves. Once they have a copy, they can breach into the system with ease.
- Intercepting cookies: Cookies are used for every site, and they are not very secure. Worse, they contain important user data on the browser. Not only is personal information stored in these cookies, but MFA credentials too. Hackers can use side-channel attacks to gain access to that data.
- Local access: If a local admin access is compromised, all that data on the user’s system is exposed. Everything from biometrics to other sensitive data which can lead to an MFA breach. Even with strong encryptions, that won’t prevent data thefts.
- SIM cloning: Wireless providers are moving away from physical SIM cards and switching to virtual SIMs. While it’s a step forward, these digitalized versions open the door to hackers able to clone SIM data and intercept victim’s communications.
- Recovery attacks: Most MFA systems are very secure despite this list of vulnerabilities. As such, they are very forgiving when it comes to recovery as well. The problem with this is hackers are fully aware that in cases of urgency, they too can perform the recovery process. They can impersonate forgetful users who are trying to gain access to their account and use wild guesses that way to compromise security. Also, depending on the MFA used, it can be easier for hackers to crack.
- Social engineering: Lastly, if all else fails, hackers can use social engineering which takes on many forms. Commonly are phishing emails or a hacker could take a more personalized bait for users. MFAs are not going to be able to address this vulnerability at all as it relies heavily on behavioural factors.
How To Prevent MFA System Attacks
Even with all these loose ends, MFA is still a strong option to consider compared to other options. The key is to take some extra measures to prevent these attacks. Some considerations are:
- Getting the right MFA vendor. A sign that the MFA vendor is diligent is one who offers mutual SSL authentication, a lockout policy for unauthorized logins, uses SDLC, addresses social engineering attacks, and has passive contextual authentication such as geolocation.
- Using a trusted-link policy. This policy alone can solve a lot of side-channel attacks. This policy should include: allowing users to click on links only from verified senders, disable links in emails by default, and scan links for security before clicking them.
- Being more educated. It helps to be aware both as an administrator and as an end-user. Adapting to change is necessary and having hacking awareness training sessions helps.
- Monitoring security hygiene. Lastly, no MFA system is fully secure and can be exposed to vulnerabilities when left unchecked. To ensure the best hygiene, users should: prefer local OTP generation over SMS OTPs, using out-of-band authentication, avoid password sharing, recycling, and replay, have unique passwords, avoid generic recovery questions, avoid unusual sites, public and unsecured network connections.
MFA Is An Ideal Solution
While MFA is not unhackable, it still provides incredible protection and is the best option around. MFA attacks currently are rare as most hackers prefer using soft attack surfaces such as phishing, and social engineering. Those problems can easily be addressed by making this simple switch.
About MSP Corp
MSP Corp understands you’ve worked hard to build your business and you want to protect it. With a mission to be a world-class business partner for MSP owners across Canada, we actively seek to acquire and partner with owners looking to secure the value of the business they have built and provide a seamless exit process that ensures business continuity and employee and client stability.
Contact us today to learn more about selling your business and maximizing its value.