Many IT departments know that enabling multi-factor authentication (MFA) across their access points can increase organizational security.
However, the nature of MFA can be tedious for both end users and admins, leaving some to wonder how effective MFA truly is. Here, we’ll go over what kinds of attacks MFA defends against, how effectively it prevents those attacks, and how admins can use MFA to strengthen their organization’s security posture.
What is Multi-Factor Authentication?
Multi-factor authentication (MFA) works by combining “something you know” (i.e., your credentials) with “something you have” (i.e., a time-based one-time password, or TOTP, generated by an authenticator app often downloaded on your phone) to gain access to IT resources.
At login, users present the two factors, and if they are correct they will be granted entry. MFA is proven to be more effective than just using credentials because, while it’s comparatively easy to obtain user credentials via phishing attempts or credential stuffing, bad actors cannot obtain a user’s second factor for authentication without going to greater lengths, which they often will not do. Instead, they’ll likely move on to the next potential victim.
MFA, sometimes called two-factor authentication (2FA), is an integral component of zero trust security and asserts that users should use more than just their credentials to gain access to sensitive resources. This form of security has been proven to protect accounts against bad actors. In fact, in a presentation at the recent RSA Security Conference, Microsoft’s director of identity security, Alex Weinert, said 1.2 million Microsoft accounts were compromised in January 2020 alone. Of those compromised accounts, 99.9% were not using MFA.
What Attacks Will MFA Prevent?
MFA primarily prevents any attack that results from a bad actor obtaining or guessing the user’s credentials. This can include a wide range of cyberattacks, though most commonly this encompasses phishing/spear phishing attacks, automated credential stuffing, and guessing attacks. In fact, MFA prevents more than 96% of bulk phishing attempts and more than 76% of targeted attacks, according to Google.
As of now, MFA also effectively blocks bot attacks because there (Read more...)