Multi-Factor Authentication, Revisited

With the recent guilty plea of a cyber gang that reportedly made $10 million off of multi-factor authentication (MFA) and 2-factor authentication (2FA) bypass services, let's dig into what MFA is good for and when organizational leaders need more.?

The premise of MFA is fairly simple: By needing additional methods to verify someone’s account beyond a password, it is supposed to become significantly more complicated to hack somebody.

This is mostly true: MFA is shown to significantly reduce the risk of breaches and leaks.

So we’ll say one thing up front: If you’re using MFA/2FA, keep it. And if you aren’t using it, consider adding it. You may also notice many SaaS platforms are now making 2FA by default; this is mostly a good thing.?

MFA is not a cyber panacea

Here’s the problem: MFA does not guarantee safety.

MFA’s strength lies in complexity—more layers means more complexity because a hacker has to match each level. But that doesn’t stop the realities of human vulnerability or the many different types of cyber attacks.

1. Watering Hole Attacks can happen when hackers target a group of people by compromising a website that group regularly visits. This can easily capture enough data to bypass MFA on a different website; you won’t even know what happened.
2. Advanced Persistent Threats give hackers the opportunity to worm their way into a system quietly, remain there to look for additional sensitive files, and launch an attack much later down the line.
3. Zero Day Exploits are when hackers spot a security vulnerability and attack immediately; they could result in breached data either at the central platform level (e.g. hacking a database) or end-user level (e.g. accessing your customers’ devices)

And all of this risk is only growing with Gen AI.

What’s beyond MFA?

Again, we reiterate MFA is a good thing and often a huge improvement over passwords—even complex ones. But it’s also not the only option on the table.

Here are a few things you can think about:

• Automatic logouts: Consider automatically logging users out after a period of inactivity or navigating away from a tab; alternatively, ask for reauthorization on a semi-random frequency (e.g. random time, but at some point every 10-15 days)
• Mandatory password changes: Changing passwords on a semi-random frequency will help ensure that if one password gets breached, the account can still be secured. Just make sure you mandate different passwords, not something like “tarzan1” to “tarzan123”
• Hardware MFA: Require MFA through a USB key or other piece of hardware that only the real person would be carrying.?

It only works if it works for you

The reality is the list of tips and alternatives or additions to MFA could go on forever.?

That’s the thing about security: There are literally hundreds of unique and niche ways to protect yourself.

The key is to ensure the response fits…

• Your organizational context
• Your attack surface and vulnerabilities
• Your current and future threats

Another reality is this all costs money, so ensuring you are using resources in the best way possible is critical.

This post originally appeared on the Connected & Newsletter by Protexxa. Subscribe now to get more insights directly in your inbox every two weeks.

The Cyber Detail: Headlines worth paying attention to

• WATCH: The New Rules of Digital Defense (WomenOfInfluence): Protexxa CEO Claudette McGowan shared her insights on the cyber landscape today and how organizations (and individuals) can stay safe.?

• The United States federal government launches cybersecurity jobs drive (CybersecurityDive): The initiative aims to fill over 500,000 cybersecurity roles in the USA.

• How an increasingly digital supply chain creates cyber risk (Just Drinks): Some companies, like the makers of Arizona Iced Tea, have already reportedly been hit by ransomware attacks.
• Increased cyber threats are driving more interest in cyber insurance (CybersecurityDive): Ratings firm Moody’s released a report with findings that the cyber insurance market is set to explode.

MFA in real life

? Try time-based MFA — Consider setting up MFA to automatically request new codes or biometric identification on a regular frequency

? Accept security patches — Even the best security won’t protect against security gaps; patches help fix those issues

? Always communicate the why — Security can often feel tedious; ground requests of employees in real issues, like keeping them (and their families) safe

ICYMI: Cyber headlines that still matter

US Department of Treasury’s Guide To Managing AI-Specific Cyber Risks in Financial Services: This guide is an in-depth analysis of how AI-specific cyber attacks can impact the financial services sector specifically, and what organizations can do about it (March 2024).

70% of organizational leaders say that a cyber skills shortage creates additional risks: In the same report, nearly all (90%) of leaders of organizations that have experienced a breach can attribute the incident at least partially to a skills gap

State-Backed cyber attacks on shipping continue to rise: Increasing geopolitical tensions are allegedly to blame for attacks on maritime industry.

Subscribe to Connected & Protected to get more insights directly in your inbox every two weeks

→ Don’t forget to follow Protexxa on LinkedIn