How MFA Can Help Prevent Data Breaches
Security experts widely agree that any organization securing logins to its valuable IT services using only a username-password combination is taking a huge security risk. Multifactor authentication (MFA) is one of the most basic ways to layer your defenses against unauthorized logins to systems and, ultimately, can help prevent costly breaches.
The Current Authentication Landscape
To authenticate a user means to verify that the user is genuine. Classically, the way to authenticate a user is to request their login credentials and ensure those credentials match the credentials stored in your directory service or authentication server. The full history and background of authentication is more complex, but that’s the gist of it.
The need to ensure users are who they claim to be is critical in the context of today’s hybrid IT infrastructures. Organizational data and apps often exist outside the traditional corporate network perimeter in public cloud services. Furthermore, employees, business partners and contractors are accessing IT resources from home or public locations.
Many security professionals say that identity is the new perimeter. This claim about identity extends to devices and applications, but securing machine identities is another topic altogether. If identity is the new perimeter, then making authentication as secure as possible is paramount to protect your critical assets, including sensitive data about customers and intellectual property.
Why Passwords Aren’t Enough
In an ideal world, passwords would be sufficient to authenticate users and ensure that they are genuine. Unfortunately, passwords are susceptible to theft, often through poor password hygiene. Whether it’s reusing multiple passwords across different applications or not creating secure enough passwords to begin with, password theft is rife.
To understand how easy it is to steal a password, consider a study that looked at over 15 billion passwords. The results of this study revealed that the top four most commonly used passwords were:
- 123456
- 123456789
- qwerty
- Password
These passwords are all incredibly easy to guess even for a beginner cybercriminal looking to access a corporate network. This is confirmed by the fact that 80% of hacking incidents stem from stolen credentials or passwords guessed using brute force tactics.
A compromised password doesn’t automatically lead to a breach, but it makes that outcome far more likely. By logging in to a system using a compromised password, threat actors can impersonate genuine users and attempt to move through a network until they can exfiltrate sensitive information or install malware on multiple systems.
MFA Explained
To help strengthen authentication and avoid relying on username-password pairs alone, organizations can opt for MFA. This type of authentication uses two or more distinct ‘factors’ to verify users. Three common authentication factors are:
- Something the user knows: This is the classic username-password combination.
- Something the user has in their possession: This is usually either a smartphone or a hardware token.
- Something the user is: This is biological data about the user such as their fingerprint, retinal scan or facial recognition scan.
Clearly, combining just two of these factors already leads to better security. Even if an employee chooses an insecure password, reuses passwords across many systems or doesn’t change their password according to the best practices defined in your security policy, it’s far harder for a threat actor to impersonate that employee when MFA is in place.
It’s worth noting that using multiple authentication factors isn’t a 100% hack-proof way to ensure users are genuine. The level of security available depends on the chosen factors of authentication.
For example, Twitter’s Jack Dorsey had his account hacked when a threat actor impersonated him by contacting Jack’s mobile phone carrier and convincing the company to transfer Dorsey’s phone number to a different SIM card. Then, because Twitter uses a code sent to your registered phone number as its second authentication factor, the threat actor was able to log in to Dorsey’s account.
Push-based notifications to registered devices may be more secure than one-time passwords. Some organizations may see fingerprint scanning as a worthwhile investment to strengthen authentication.
Is Passwordless Authentication the Future?
Even though multi-factor authentication provides much better security, password fatigue is still a real problem. Most companies still use passwords as one authentication factor, which means employees need to set passwords in line with corporate policy and update them at scheduled intervals. This need to properly manage passwords at all times can start to impact user experience and productivity for both end-users and IT security staff.
Passwordless authentication seeks to eliminate password fatigue by removing the most popular authentication factor from the equation. Instead, users are authenticated using something they have or something inherent to them. For better security, passwordless authentication should require both of these different factors.
MFA Can Plug Authentication Gaps
Any company depending only on passwords to verify users is in for a rude awakening. The sheer volume of passwords stolen and compromised daily means that passwords alone will lead to hacked user accounts that can escalate into a full-scale data breach. As detailed in this report from IDC, there are many MFA solutions in the market today. Understanding which one can best address and plug an organization’s authentication gaps is key to a secure future.