MFA: check its efficiency in 7 points

While October is dedicated to cybersecurity awareness, this year is expected to focus on behaviors around identity in light of cyberattacks.

According to one study report from Yubico, 49% of companies surveyed have deployed two-factor authentication (2FA) and multi-factor authentication (MFA) as a result of the pandemic and the adoption of remote working. However, attackers have redoubled their efforts to trick users into giving up their second authentication factor and, in some cases, completely circumventing MFA mechanisms.

In their arsenal, attackers now use various digital and voice phishing techniques to steal credentials. They then send repeated MFA requests to their targets’ mobile device to trick employees or partners. While employee training is an important preventative step, careful consideration of where and how MFA is deployed is critical to ensuring its effectiveness.

  • Standardized single sign-on (SSO) – Since credentials are inherently vulnerable to compromise, they should be used as little as possible. By combining MFA with SSO, the user experience is simplified by reducing login requests and replacing passwords with more intuitive methods; such as digital certificates or biometrics. Whenever possible, preferred SSO tools are those that support standard protocols, such as SAML or OpenID Connect.
  • MFA records – When users identify themselves, IT teams need to be able to verify that they are who they say they are. If not, attackers could steal passwords and try to register their own devices as authentication factors. To reduce such risk, an off-network process (such as a phone call) is an option to verify if a registration request has been made by the legitimate user. In addition, it is appropriate to authorize the registration of only one device per user and to require a valid physical identity document (the passport for example) to validate the registration request.
  • Limit MFA Requests – When users are bombarded with requests, they may end up responding mindlessly or out of exasperation. Setting thresholds for the number of MFA requests an employee can receive in a certain amount of time helps combat user fatigue and make it harder for cybercriminals.
  • Privileged Access Management (PAM) – This aspect is essential for the protection of sensitive resources. With this approach, credentials to access a sensitive server, for example, are stored in a centralized vault. MFA is then needed to extract the credentials for the server from it. Intelligent privilege checks further isolate privileged sessions, so credentials aren’t exposed, and monitor credentials regardless of channel.
  • AI to balance security and productivity – To err is human and IT teams cannot monitor everything all the time. Relying on Artificial Intelligence and machine learning therefore makes it possible to evaluate each access request automatically, based on the behavior history of users, devices and the network in real time. If the context seems unusual, the system can adapt the controls; for example, requesting a new authentication or adjusting the access level. Detecting risky activities earlier in the attack lifecycle helps contain potential damage much better. AI therefore helps to improve the user experience by only putting in place locks when absolutely necessary, based on a risk score. According to our research, 90% of organizations that use contextual automation additionally see a reduction in IT workload and costs.
  • Record and Monitor User Activity in Web Applications – Also according to one of our studies, 80% of organizations report employee misuse or abuse of work applications, but nearly half (48%) have limited ability to view user logs and audit user activity. This makes it difficult to understand and control how employees and partners use web applications and handle confidential data. Therefore, steps should be taken to configure the system to record user actions in protected applications as well as create comprehensive and searchable audit trails. Additionally, users would need to re-authenticate during high-risk sessions (through a QR code, for example). Organizations could also implement controls that prevent users from copying data or downloading files.
  • In-depth defense controls – Even the best-configured MFA systems are not infallible. This is why the layering of identity security controls and practices – like consistently applying the principle of least privilege and removing permanent access to sensitive infrastructure and the cloud – is so important. If one system fails, another is ready to block attacks and put sensitive assets out of reach.

These seven points are not intended to be exhaustive but to initiate thinking about how a unified identity security strategy – centered on intelligent privilege controls – can help organizations better defend against cyberattacks, satisfy audit and compliance requirements, drive digital business and improve operational efficiency.

We would love to give thanks to the author of this article for this awesome web content

MFA: check its efficiency in 7 points

Explore our social media accounts along with other related pages