Multi-factor authentication is widely considered a necessity among cybersecurity professionals and authorities, but it’s not always a quick fix.
Threat actors can still evade and even exploit MFA through phishing or social engineering attacks, as evidenced by the persistent and widespread text message phishing campaign nicknamed Oktapus or Scatter Swine.
Technology companies, telecom providers, and organizations or individuals linked to cryptocurrencies have been targeted since the attacks began in March. The adversary compromised nearly 10,000 user credentials at 136 organizations, according to Group-IB, sometimes targeting employees at specific companies once access was gained directly or through third party providers.
Cybercriminals weaponized MFA with social engineering attacks that tricked employees into sharing their credentials.
“Ultimately, MFA is a small piece of a larger strategy. Relying on MFA alone will not protect your organization from all attacks,” Allie Mellen, senior analyst at Forrester, said via email.
The problem is not so much MFA, but how organizations implement it. MFA safeguards are weakened when organizations fail to strengthen them with compensating safeguards and controls.
“Organizations that have invested in MFA have not always made the corresponding investments in better proof and assertion of identity to provide adequate levels of trust,” Ant Allan, vice president analyst at Gartner, said by email.
Too often, organizations follow a “checkbox compliance mindset,” assuming that simply applying MFA will meet their needs without considering additional configuration best practices or enrollment and recovery processes, Allan said.
The federal guide establishes guarantee levels
While sophisticated tactics can improve adversaries’ chances of breaching an intended target, even when MFA is enabled, federal authorities continue to push for MFA to be widely used.
The Infrastructure Security and Cybersecurity Agency initiated in June a “more than a password” social media campaign to encourage adoption of MFA, claiming that the increased security MFA offers makes organizations and individuals 99% less likely to be hacked.
Also, the National Institute of Standards and Technology advises all organizations to use MFA whenever possible. the agency “Digital Identity Guidelines” sets out different categories of MFA controls to delineate between various levels of identity assurance:
- Level one includes authenticators tied to a subscriber’s account
- Level two introduces cryptographic techniques
- Level three requires physical keys with cryptographic protocols
Password vulnerabilities can contribute to MFA weakness because organizations, in most cases, implement what Allan describes as +1FA in which they add an additional third-party factor to the password.
“Switching to passwordless MFA can mitigate those vulnerabilities, but some types of phishing, broadly defined, can still be effective,” he said.
Additional layers of defense
Organizations can and should strengthen MFA by combining its use with policy enforcement, training, email security, location awareness, and identity threat detection and response, according to analysts.
“While MFA is a necessary first step, investing in advanced analytics will provide more flexibility and resiliency,” Allan said. This approach can help organizations “maximize justified trust in claimed identities without placing a burden on the user, adding friction only when the risk demands it.”
Organizations should also consider transitioning away from authentication codes transmitted via text message.
“Ideally, organizations will move to authentication apps, which provide a better experience for end users and ensure a closed system for authentication that is not dependent on a third party like [text messaging]Mellen said.
Despite the cyberattacks that have hit many tech companies in recent times, Mellen and Allan said organizations shouldn’t hesitate to use MFA.
“Locks can be picked and doors can be forced, but would you leave your house without locking the front door?” Alan said. “MFA is a best practice” that significantly reduces the risk of account takeover.