MFA Is Only As Effective As We Want It To Be

Written by Authomize

Good cybersecurity is all about getting the basics right.

Sure, AI and other advanced technologies help us to cyber better, faster, stronger, etc. But the really important work is all about actually using the most basic of tools to fend off the vast majority of attacks.

One of the most glaring examples of a good security measure that is woefully underused is multi-factor authentication (MFA).

Identity is the New Battleground

In the cloud-centric era, where we use our identity to access the apps and services on someone else’s network, the good fight has centered on getting identity and access security right.

The problem is that a lot of us are still getting a lot of those basics wrong.

In its recent “Cyber Signals” report, Microsoft declared that, “Identity is the new battleground, but most are unprotected against attacks.”

Looking at its internal numbers, Microsoft reports that only 22% of Azure Active Directory organizations are using what it terms as “strong authentication” (read MFA) for securing their accounts.

This is beyond irksome, given how the folks in Redmond have been spreading the good word about MFA for years now, repeating the mantra that “MFA can block over 99.9% of account compromise attacks.”

Considering the high-level effectiveness of standard MFA, it boggles the mind as to why it is so underutilized.

Why Aren’t Organizations Using MFA?

MFA is like a seatbelt — easy to use and highly effective in most cases. And yet people will always have an excuse as to why they don’t use it.

Added friction to productivity and UX is one of the most common responses, with many employees griping about having to add an extra step to logging in.

Some will ask, “What if I forgot my phone today? Can I not log in?”

Lack of time and resources from the security team to get everyone enrolled is another reason that often gets cited. Though when it comes to the basics like adding MFA to your Microsoft accounts, costs for the service is less of a direct issue — even if the implementation might be.

When it comes to 3rd party services, there may be extra costs associated with adding MFA that could deter an organization from doing the right thing.

None of these are good reasons not to have MFA, which has reached a critical point of necessity. Passwords are not nearly enough to protect your access to cloud services like your IaaS, SaaS, and hosted data.

Ideally, we could just enroll everyone in MFA, but given the aforementioned challenges, we have to pick our battles.

3 Tips for Securing Your Privileged Access

When malicious actors target your organization, the goal is to ensure that they walk away with as little as possible for their troubles.

We need to prioritize our attention on securing the accounts that can do the most damage if they are compromised — namely our identities with privileged access.

Ensuring that these valuable identities have MFA enabled should be our top priority.

Here are a few good tips for getting started.

1. Know Where to Start

Start by identifying these privileged identities. In some cases they will simply be listed as admins. But it is not always so clear.

You also need to detect shadow admins and others with access privileges, either directly, through group memberships, or roles that can reach your sensitive crown jewels like customer data or that can be exploited for privilege escalation.

Identifying these undefined admins is often harder than it sounds because they lack visibility over all the different access paths that an identity may have to their assets.

2. Use Federated Access

Using an identity provider like Azure AD, Ping, or Okta, will give you an easier way to determine and manage who has MFA enabled. If any of your privileged accounts do not, then require them to do so.

3. Disallow Unfederated Access

For all the apps and services where possible, bar access to local IAM users. This is best practice in general, but has added value when talking about more sensitive assets.

In cases where you can’t use federated access, use tools to track access usage activity, gain visibility, and ensure that people cannot access your valuable assets without MFA enabled.

A Fighting Chance

Along with the suboptimal MFA 22% adoption figure, there are reasons to be hopeful. The Microsoft authors tell us that basic security hygiene still protects against 98% of attacks, citing MFA and applying Least Privilege as important measures for mitigating risks.

That’s good news because it means that organizations stand a fighting chance against the threats to their identity perimeter. And that threat is rising.

The report claims that in 2021, “Azure Active Directory detected and blocked more than 25.6 billion attempts to hijack enterprise customer accounts by brute-forcing stolen passwords.”

So how many didn’t they block? How many more are coming?

As we move through the tumult of early 2022, we can expect these attempts to increase further.

Preparing for whatever comes next will require organizations to develop a technology adoption strategy that enables them to enforce their Authentication and Authorization policies. Taking responsibility for their security will mean using all the defensive tools at our disposal — starting with the most basic.