Why you should enable MFA!
What is MFA?
MFA (Multi-Factor Authentication) is the principle requiring more than one factor for a user to authenticate themselves.
The three factors are:
- Something you know (password)
- Something you have (token)
- Something you are (biometrics)
We commonly use the “something you know”-factor for authentication – namely a password. It allows a user can sign in from different devices without the need for a biometric scanner or a secondary type of device to help authenticate themselves. It has long been a primary authentication method but has its flaws and vulnerabilities.
A common method for implementing MFA is via “something you have”-meaning a token. This can be done via something like an authenticator app, making the user’s phone serve as the token, or something like a yubikey with a PIN-code.
Why not stick to passwords?
While passwords aren’t inherently bad, and have their benefits, the practical implementations of passwords are flawed. Objectively speaking. Users reuse passwords on multiple domains, including ones you as an enterprise have zero control over. Once a breach inevitably happens to one of the sites they are signed up to, that password is added to publicly available password dictionaries. Even beyond that, without the correct conditional access policies, attackers can employ brute force attacks that can crack weak passwords in less and less time as hardware improves.
Even companies reuse passwords or follow regular patterns that are easy to replicate with a slim dictionary (as seen in “summer2021”-type of passwords). It’s a systemic problem that’s likely not going anywhere, even as password managers are becoming more prevalent. Users are always looking for a flexible and unobtrusive method for accessing their data. It’s not something they should be disparaged for, we should instead look for a method that has minimal impact on their day-to-day operations, both in terms of implementation and practical applications.
How does MFA address the password issues?
MFA adds “something you have” or “something you are” to the password authentication. This means that a password spray attack where a user copies a slew of credentials from the latest leak would only get the attacker to the step of needing to authenticate with a second factor. This combats the issue of rehashed credentials.
Is it perfect? Definitely not. Few security practices are. Particularly MFA codes sent through texts have been observed to be susceptible to targeted attacks – but that does force the attack to become targeted.
Is it worth it?
As seen in the Microsoft Digital Defense Report, maintaining basic security hygiene protects against 98% of attacks, and MFA is a significant portion of those basic steps.
It’s easy to become complacent and assume every attacker is highly advanced and persistent, but the fact is that sophisticated attacks are becoming easier to perform. Entire markets are developed and maintained by cybercriminals – a sophisticated and highly effective distribution for prices that hardly gatekeep any would be hacker. Ransomware operators could be skilled teams, or just someone with an axe to grind – and one of those is easier to stop than the other.
So either as a company or as an end user – enable MFA. Nowadays, if you do not have access to a phone, your company will likely provide you one, and that’s all you need for a security token. Follow the steps within the domain you’re authenticating against (whether that be email, social media or something like Azure) and it shouldn’t take more than five minutes.
While it might be annoying for your end-user to be prompted with an MFA policy, it’s more annoying to deal with the new ransomware extortion methods going around. This is why you should at least enable MFA!
Want to know more about MFA and how a journey to passwordless, check out our workshop on how to: Build your Passwordless practice