The Truth About MFA
Is the popular security strategy all it’s cracked up to be? Let’s get to the bottom of things.
You’ve probably heard about “MFA” (multi-factor authentication) and maybe you even use it at your business. But you can’t help but wonder if it’s really as effective as they say it is. Let’s talk about that.
But first, for those who need it, here’s an overview of MFA – what it is and why it exists. If you don’t need an overview, feel free to skip this part.
What is MFA?
MFA stands for multi-factor authentication. Authentication – in the context of security – is the process of verifying someone’s identity for the purpose of granting authorized access to an account, device, etc. It’s checking to make sure someone is authentic.
Traditionally, passwords have been used to authenticate people’s identities online. Your email authenticates you – i.e., makes sure you’re you – by asking for your password.
Passwords are good authenticators because only you know your password – at least in theory.
But in practice, passwords are…a problem. We’ll talk about this more in just a second. But the bottom line is this: passwords alone tend not to offer such robust protection against unauthorized access.
As a result, many individuals and organizations are choosing to protect their accounts – email, social media, bank, etc. – using multiple authentication requirements, or more simply, multi-factor authentication.
Usually, the multiple authentication factors comprise a password plus something else. The ‘something else’ falls into three categories:
- Something you know (e.g., pin number)
- Something you have (e.g., mobile phone + authentication app)
- Something you are (e.g., fingerprint)
Ideally, we can add the word “only” to the above three categories: a true authenticator is something only you know, something only you have, or something only you are (fingerprints are a good authenticator precisely because they’re unique to you).
Suppose a cybercriminal gets hold of your email password and tries to log in to your MFA-protected email. Your email, thanks to MFA, will ask for an additional authentication factor – say, a one-time passcode sent to your mobile phone (this is what our patented ID 20/20 software does). If the cybercriminal can’t fulfill the request and enter the one-time passcode correctly, they will be denied access to your email.
OK, but is MFA really necessary? Sure, it would come in handy if some hacker stole your password and tried to use it to breach one of your accounts. But is that really something you need to be worried about? And let’s say it does happen – one of your passwords falls into the wrong hands – can you rely on MFA to save the day? How effective is MFA…really?
The Truth About Passwords
The truth about passwords is that passwords pose a problem. A serious one, in fact. This comes down to two reasons:
People’s Passwords Are Often Laughably Bad
Only it isn’t funny, because weak passwords, or as IT folks like to say, “bad password hygiene,” is dangerous. A large study by Verizon found that 81% of breaches stem from poor password management.
And when 43% of all cyberattacks are on small businesses (source), you’d better believe it’s your responsibility not to leave your organization wide open to an attack by using weak passwords or engaging in risky password practices like sharing your password or using the same password on multiple accounts.
But maybe you and your team are fulfilling that responsibility admirably. Maybe you all have impeccable password hygiene – long, random passwords filled with unguessable phrases and special characters. That’s great, but it still leaves the second reason passwords are a problem…
Cybercriminals Are Getting Really, Really, Really Good at Cracking Passwords
Unfortunately, this is the other side of the equation. Modern password-cracking techniques are almost incomprehensibly powerful, fueled as they are by the recent explosion in computational power at our species’ disposal. If your password is in the neighborhood of 8 characters or fewer, a committed cybercriminal could ‘brute force’ it (i.e., guess it by simply testing different combinations) in less than a day, or even less than an hour. Keep in mind, professional threat actors aren’t manually cracking passwords; the processes they use are highly automated and can involve upwards of one trillion tries per second.
You read that right. A trillion guesses per second. That’s what you’re up against – what we’re up against.
So yes, MFA’s a good idea. Passwords offer some protection, but they need to be supplemented.
The Truth About MFA
Wait a second, you might be thinking, if I can’t rely on my passwords to keep me cyber-secure, why should I trust additional authentication factors? In other words, if passwords can’t do the job, who’s to say adding more layers will make any difference?
We’re saying that! Let’s say a password is like a lock on your front door. If hackers can pick that particular lock, won’t they be able to pick any additional locks you set up? Multiple locks might slow them down a bit, but it certainly won’t stop them…right?
Perhaps not, but the analogy doesn’t quite work because MFA doesn’t just add more locks. If a password is like a lock, then the additional authentication factors required by MFA – like an SMS code or fingerprint scan – serve as a kind of guard dog in the security landscape. The value of the guard dog is not in duplicating the lock; it’s in introducing a dynamic, unpredictable element that potential intruders can’t easily predict or bypass.
More to the point, the fact that a hacker manages to get their hands on your password doesn’t mean they’ll also be able to obtain the additional authentication factor required to access your account(s). Jumping over one hurdle is one thing. Jumping over one hurdle plus evading a big angry guard dog – well, that’s a whole other thing!
That said, MFA isn’t foolproof. Like anything, it can be hacked. There’s a stat floating around the internet claiming that MFA stops over 99% of all cyberattacks, but there’s no data to show this. There’s data showing that MFA can prevent more than 99% of a specific type of cyberattack, but not 99% of all cyberattacks.
Why does this matter? It matters because it’s important to know that MFA isn’t the magical
solution some would have you believe it is.
Should you use MFA? Absolutely. Should you also educate yourself on the ways MFA can fail, so you can prevent such failures from occurring at your business? Absolutely!
To that end, let’s look at a few ways threat actors get around MFA – and what you can do to prevent them from bypassing your MFA solution.
“Prompt Bombing”
Attackers flood a user’s device with a barrage of authentication requests. This can make it difficult to distinguish legitimate requests from fake ones and users may inadvertently approve a fraudulent authentication. Users may also approve out of sheer annoyance or exhaustion, which is why this method is also sometimes called “authentication fatigue.”
What you can do: If you’re bombarded by authentication requests out of the blue, something fishy is likely going on! Don’t approve any of the requests and contact your IT provider to establish what’s going on.
Phishing Attacks
Cybercriminals trick users into revealing their authentication factors, often by creating fake websites or emails that mimic legitimate services and prompt users to enter their credentials or one-time passcodes.
What you can do: If you have any doubts about the legitimacy of an authentication request or prompt, don’t take action before clearing things with your IT provider. As a good rule of thumb, unless you’re expecting an authentication request, don’t trust any such request you receive.
Social Engineering
Cybercriminals manipulate users into revealing sensitive information or authentication codes through psychological tactics, often exploiting trust or fear.
What you can do: Always exercise caution when faced with requests for sensitive information, especially if they seem unusual or create a sense of urgency. Verify the legitimacy of such requests by contacting your IT provider directly. Remember, it’s perfectly okay to take a moment to confirm the authenticity of any unexpected request, and if the person making the request tries to rush you, all the more reason to slow down and ensure that everything is above board!
Man-in-the-Middle Attacks
In these attacks, cybercriminals intercept communications between you and a service, capturing authentication data while it’s in transit. This can happen over public Wi-Fi networks or compromised communication channels.
What you can do: When using public Wi-Fi or any unsecured network, avoid transmitting sensitive authentication data. Stick to secure, trusted networks for sensitive transactions and always use a VPN (Virtual Private Network) when accessing critical accounts or services in public places.
A Final Thought
You may have noticed that every single “what you can do” in the previous section mentions contacting your IT provider. That’s because modern cybercrime has gotten absurdly sophisticated, and most businesses can’t protect themselves without some expert help.
Are you getting enough help with cybersecurity at your organization? Here at The 20 MSP, we specialize in bringing small and medium-sized companies’ cybersecurity up to speed and under budget.
Want to learn more? Schedule your call with The 20 MSP today.
And stay tuned for more security-focused content as we celebrate #CybersecurityAwarenessMonth here at The 20.
