MFA: Striking a Balance Between Secure & Convenient

Written By: Anthony Reyes

Updated: 07/12/2022

Credential theft is one of the leading causes of data breaches; in fact, it is responsible for more data breaches than any other type of attack. As we move more and more data and essential business processes into the cloud users are more vulnerable than ever to cyberattacks, making it essential for companies to take steps to protect their data. When a criminal gains access to a user account, particularly one with admin privileges, they can exploit the account by sending phishing emails to the company’s staff and customers using the company’s account or attempt a Business Email Compromise (BEC) in which they could impersonate the business and divert funds and services to cybercriminals. Additionally, they can infect the company’s cloud data with ransomware, which can result in the company needing to pay thousands of dollars to regain access to the data- if access is restored at all. One of the most effective methods for protecting accounts is using multi-factor authentication (MFA). In this blog post, we’ll discuss what MFA is, how it works, and how it can be used to protect businesses from credential theft and malicious actors.

What Is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is a security measure that requires two or more factors for authenticating a user’s identity. It adds an extra layer of security to your online accounts by requiring additional verification when logging in. This additional verification could be something you know (like a password) or something you have (like a smartphone or physical device). By adding multiple forms of authentication, MFA provides a significant barrier to cybercriminals even if they have stolen a legitimate user’s credential to log in; this is because the hacker will almost certainty not have access to the device that receives the MFA code required to complete the authentication process.

WHAT ARE THE THREE MAIN METHODS OF MFA?

When implementing multi-factor authentication within your organization, it’s important to understand the various forms of MFA and how they fit into your workflows; not all MFA is created equally and some authentication methods are more secure than others. There is constantly a conflict between security and convenience- let’s dive into the most popular MFA methods and how they can fit into your business’s cybersecurity plan.

SMS-BASED

One Time Passcodes also known as OTPs or TOTPs for time sensitive codes are texted to a user’s phone number on record. This is the most popular authentication method and you’re already probably very familiar with it as most services now enable this by default when you sign up. Every time a user logs in they must provide a new code that’s texted to them. While this is the most convenient MFA method- it is unfortunately, also the least secure on this list. SMS based MFA is so convenient because you just need your phone; if you get a new phone or switch providers your MFA always works and follows you as long as you keep your same phone number. The insecure part is that attackers can utilize various methods to gain access to your text messages, or entire phone line via a method known as “SIM Jacking”. Ikigai One has done a great article explaining what SIM Jacking is, how it’s done, and how to defend against it. If an attacker succeeds at compromising your phone number there is nothing that stops them from intercepting your SMS authentication attempts. There are also many scams now that will attempt to trick users into giving scammers/attackers their SMS authentication codes by pretending to work for the company you are trying to access.

ON-DEVICE PROMPT IN AN APP

This method involves having the user approve logins from a device that was linked during account creation or MFA setup such as a smartphone or tablet. Setting this up is usually as easy and scanning a QR code with your smartphone using your preferred “Authentication App”. We recommend apps like DUO, Microsoft Authenticator, or Google Authenticator. This form of MFA offers strong protection against malicious actors but can be inconvenient for users who don’t always have access to their devices at all times. Many Authentication Apps do not allow users to transfer their authentication codes to a new device if the user no longer has access to their old device; this unfortunately means if your device is lost, stolen, or too heavily damaged you may potentially be locked out of your accounts. Ikigai One has numerous contingencies in places that can help users avoid this catastrophe.

PHYSICAL SECURITY KEY

The third method of MFA involves using a separate physical security key that you can insert into a PC or mobile device to authenticate the login. These keys look like standard USB drives (but are a little smaller) and are produced by several companies; we recommend YubiKey and other physical security keys that utilize the FIDO2 standard. MFA secret keys are stored on the device when MFA is setup for an account; from that point forward the user must physically have the key in their possession to access that account. The benefit to this method is that it is device agnostic meaning it still works even if you lose your smartphone, just don’t lose your key too…

WHAT’S THE MOST CONVENIENT FORM OF MFA?

MFA fatigue is a real thing and users can get frustrated with needing to learn new apps or procedures or taking additional time to complete daily tasks like logging in. Unfortunately, this can lead many users to opt to leave their accounts unsecured out of convenience or lack thereof. If your organization has a lot of technologically averse individuals or MFA fatigue is really getting to users we recommend at a minimum using SMS authentication. Managed IT Service Providers usually recommend avoiding text message based authentication- and for good reason, but we all agree that SMS based MFA is infinitely better than no MFA at all.

MOST SECURE FORM OF MFA?

The honor of most secure form of MFA goes to the physical security key. The security key, being a separate device altogether, won’t leave your accounts unprotected in the event of a mobile phone being lost or stolen. Both the SMS-based and app-based versions would leave your accounts at risk in this scenario. New Malware is making it easier than ever for hackers to intercept text messages and authentication apps don’t always offer the redundancy required by businesses..

MFA BY THE NUMBERS

A 2019 Google study looked at the effectiveness of these three methods of MFA at preventing three different types of attacks. The security key as expected was the most secure overall.

Percentage of attacks blocked:

·          SMS-based: between 76 – 100%

·          On-device app prompt: between 90 – 100%

·          Security key: 100% for all three attack types

WHAT’S IN BETWEEN?

As a Managed Security Service Provider Ikigai One always recommends erring on the side of caution and security; that being said, with an increase in security often comes a decrease in convenience and every organization has a unique threshold of risk acceptance. Thus, we recommend and endorse a mixture of on-device in an app authentication with redundancy for the majority of users and use cases with physical security keys for the most mission critical and sensitive accounts (Microsoft Global Administrator for example).

LOOKING FOR HELP SETTING UP MFA AT YOUR COMPANY?

Protecting Your Data With Multi-Factor Authentication Is Essential and there is no excuse not to take advantage of it’s free cybersecurity benefits. Businesses must take measures to protect their data from malicious actors; otherwise, they risk exposing confidential information which could result in financial loss or reputational damage. Multi-factor authentication (MFA) is one way organizations can secure their online accounts by adding an extra layer of security beyond just passwords alone—making it much harder for hackers/attackers gain unauthorized access even if they steal login credentials from unsuspecting users/employees . Implementing effective procedures can help ensure that organizations stay ahead in the ever-evolving battle against credential theft and data breaches—ensuring that customer data remains safe and secure at all times! If you need help navigating the cybersecurity landscape our cybersecurity experts can help your business ensure that MFA is enabled and enforced for all users and mission critical accounts. Ikigai One is your Managed IT Support partner- not only we will manage MFA for your organization preventing MFA fatigue, but we’re also happy to train and educate your employees on its importance at no additional cost. We truly believe that MFA is the most cost effective and easiest thing your business can implement that will save you from data breaches and cybercriminals.