A door without a lock does not provide a layer of security to an opportunistic thief. If the door is locked, you at least have one layer of security. Now, imagine that the door also has a card or thumbprint reader that must be used in conjunction with the key to unlock the door. Then, you have multiple layers of security. While a skilled thief or attacker could still conceivably get in, it would require more time, and they’d likely move on to an easier target.
Multi-factor authentication, when connecting to services on the internet, is similar. It’s a simple matter for user credentials to become compromised through password and phishing attacks. While employees are required to undergo security awareness training, phishing threats are becoming more sophisticated and users may not fully understand the risks a network is exposed to if a hacker takes advantage of compromised credentials.
Instead of creating a strong passphrase (not a password) when prompted, they do the bare minimum. Threat actors know this and will take advantage of it when they can. And, if your network is connected to the internet, and you’re not using multi-factor authentication to log in, those threat actors can walk right through the front door.
The need for multi-factor authentication extends beyond your immediate network, too. If your organization uses the assistance of any third-party services, they should also use multi-factor authentication.
You can enforce password complexity rules, but you can’t force people to use different passwords for all the third-party services used by your company. Now, imagine a threat actor has obtained a user’s password by guessing it or successfully phishing the user.They attempt to use the compromised credential to log in to your corporate network—where you have MFA installed. The first factor is successful, but when it comes to the second factor, the malicious user is unable to successfully log in.
They’ll likely take the compromised credential and try it on the third-party services commonly used by organizations until it works somewhere. So, while the threat actor might not directly gain access to your network, they could still gain access to sensitive data or business processes if you don’t have MFA installed on those third-party services.
Another scenario where you’ll want MFA is within segmented areas of your network containing highly sensitive data, such as a cardholder data environment (CDE). Even if multi-factor authentication is required to log in to your network, you would still add an extra layer of MFA to log in to the CDE—even though it’s not directly connected to the Internet.
Not only is this extra layer of security helpful for compliance, but it’s also important for protection of the most sensitive data held by your organization. Because, while multi-factor authentication is effective if executed correctly, it’s not infallible.
Consider this example:
You implement MFA for your network, teach employees to use it properly, and move on. You’ve got MFA installed and active for all corporate services (email, remote access, and third party services included) by redirecting users to a Single Sign On (SSO) authentication portal that requires MFA. So, you’re good to go, right?
A threat actor in an undisclosed location is attempting to access the account of one of your new employees that may not have payed close attention during the new employee security awareness training. The employee keeps getting alerts on their phone from the MFA app they installed when they began working at the company.
The employee knows they’re not trying to log in, but they brush it off as a technical malfunction. The employee eventually gets tired of hearing their phone go off, so the user confirms the login request from the MFA app.
And, just like that, a threat actor has entered your network, even though you’ve got MFA installed.
There are no guarantees in information security. While you can set yourself up as best as possible, user error should always play a factor in your decision making and infrastructure. Are abundant successful logins but failed MFA attempts being alerted on within security monitoring processes?
The needs of networks can vary based on the size and type of organization. Determining how to best protect your assets and educate your employees can present unexpected and unique challenges. So, if you’re looking for some guidance on how to best secure your network or implement MFA, just let us know, and we’d be glad to help you get started today.