Key Takeaways:
- MFA can significantly reduce your organization’s risk and extent of a breach.
- MFA is most effective when holistically implemented across all employees’ accounts.
- Your organization likely lacks visibility into non-federated accounts, including personal applications.
- Gaining comprehensive visibility into authentications is key to effectively implementing your MFA strategy.
Implementing MFA Is Important.. But It Has Its Blindspots
Most IT and cybersecurity have heard of multi-factor authentication (also known as MFA, two-factor authentication, 2FA). MFA represents a crucial step forward in the realm of digital security, effectively bolstering the protection of credentials. Protecting credentials by implementing MFA significantly reduces your organization’s risk and extent of a breach since, according to Verizon’s 2023 DBIR report, stolen account credentials are used in approximately 50% of all breaches.
By requiring multiple layers of authentication, MFA reduces the likelihood of unauthorized access to accounts, even in cases where a password might be compromised. This degree of security is achieved by requiring a combination of factors of authentication to sign in to an application. These factors could include: something they know (e.g., a password), something they have (e.g., their mobile device), or something they are (e.g., biometrics).
Organizations often implement and enforce MFA policies for at least core business applications (e.g., email) thinking that it’s a silver bullet for protecting accounts from being compromised, especially from phishing. However, it is paramount to understand that MFA, while instrumental, is not an infallible solution and is most effective when part of a more comprehensive authentication strategy.
Though MFA protects accounts and can significantly reduce the risk of unauthorized access, it could be circumvented by certain MFA bypass attacks (e.g., MFA Request Generation, MFA Bombing, Replay Attacks, and Web Session Cookie Stealing). Additionally, MFA has edge cases that organizations may not be thinking about. Specifically, organizations may not be enforcing MFA on all of an employee’s accounts (and they likely don’t have the visibility to see this data!).
MFA should be part of a sound authentication strategy and part of a larger defense-in-depth approach to security, but it’s crucial to recognize that its effectiveness is heavily dependent on the scope of its implementation. Many organizations, unfortunately, may not be fully aware of the entire range of accounts linked to their employees’ work emails that lack MFA protection. This lack of comprehensive protection poses a security threat that requires attention and can be addressed with more granular visibility into authentication activity.
You Can’t Protect What You Can’t See
Visibility is an essential component of a sound authentication strategy; gaining a comprehensive overview of all accounts enables your organization to thoroughly and effectively implement MFA.
Your organization may use SSO or federated SSO where you enforce MFA for many business applications; but, what is your organization doing about all the other applications your employees are logging in to with their work email? Can you see that a developer recently signed up for Jira or Zapier using their work email but isn’t using MFA? Is your CEO using their work email to log in to personal applications, such as LinkedIn and Netflix?
MFA serves as a pivotal safeguard against unauthorized access, but its effectiveness is considerably diminished if not holistically enforced across all accounts and platforms. When even one of the aforementioned accounts lacks MFA controls, your organization is exposed to significant risk. This risk stems not only from the prevalent practice of password reuse across platforms but also both from the attacker performing general reconnaissance on the business and from the attacker’s ability to craft spear phishing emails to employees’ work emails that pose as one of these platforms.
An organization has visibility into and control over sign-in options for applications that are either federated or are owned by the organization. For all other applications, though, an organization likely lacks the visibility and the ability to control authentication methods, which includes lacking the ability to enforce MFA. The below visualization illustrates the coverage that traditional tools provide into account usage and authentication methods. (Note: For some applications, your organization could have a varying degree of control depending on the vendor and your licensing; however, we think this infographic gets the general idea across.)
Gaining visibility into all the accounts associated with employees’ work email addresses, remediating the risk of mixing business and personal accounts, and ensuring MFA is implemented on these accounts, is crucial to fortifying account security within an organization. Without this visibility, potential security blindspots may leave an organization vulnerable to account compromise, particularly via phishing, emphasizing the need for an in-depth understanding of the full scope of accounts linked to your organization’s work emails.
Start with Visibility
Knowing that MFA reduces the likelihood and impact of phishing attacks and credential theft but isn’t without its blindspots, we recommend implementing MFA with a more comprehensive strategy that first focuses on visibility.
Your current authentication strategy likely includes a mixture of the following:
- Training (security awareness)
- Enforcing MFA on core business applications (such as email)
- Enforcing a more phishing-resistant MFA method (e.g., FIDO, PKI)
- .. and many more initiatives.
These initiatives are all fantastic! Since your organization likely has an authentication and MFA strategy, it’s vital to pause and reflect — how effective is your current approach, and how does visibility play a part in its success?
- How have you justified the time and cost of training employees to not use their work email for personal applications if you can’t see that many of them are doing that?
- How do you currently prioritize initiatives to secure business accounts if you are not aware which applications employees are using that are not federated and you don’t know which are not MFA-protected?
- How could you effectively plan to improve your security posture if you’re unsure what the current state is?
Without clear visibility into your employees’ authentications, even the most detailed strategies can fall short, leaving your organization vulnerable to threats, and creating blindspots that can be exploited by attackers. Thus, visibility sets the foundation for any successful authentication strategy, allowing for enhanced control, improved security posture, and efficient resource allocation.
Areas to start gaining this level of visibility include:
- Authentication Providers (Authentication providers showing where users have used federated logins or social logins.)
- Network Traffic (Networking tools would identify traffic to applications, but this often doesn’t provide context about the user or the authentication method used.)
- Browser (This offers the most context-rich information since this is the interface that employees will access most applications.)
Let’s make your decision-making process, and your communication to higher leadership, about your authentication initiatives more strategic by first uncovering blindspots. To do this, we recommend following three iterative steps: Gain Visibility, Detect, Remediate.
This is a deceptively simple process for how we at Keep Aware break up this problem for authentication and MFA. This three-step, iterative process is a solid philosophy for tackling many security problems. From strategically addressing authentications and an MFA strategy to mitigating the risks with browser extensions and other risky browsing activity, we recommend:
- First, gain visibility into that activity;
- Next, explore and detect events of interest;
- Then, take action on the data.
- (Rinse and repeat.)
MFA and Visibility Are Key to a Sound Authentication Strategy
In conclusion, implementing MFA reduces the likelihood of unauthorized access to accounts and could significantly increase your organization’s security posture, but understanding and addressing MFA blindspots is a crucial component to securing your employees’ accounts and your organization’s digital environment. The process of gaining visibility, detecting events of interest, and taking action on this information is a comprehensive and iterative strategy that we stand by.
The Keep Aware Browser Security platform is designed to highlight actively used applications in the organization and the authentication methods employed for each app. Moreover, it involves employees in the security process, swiftly conveying essential safe practices through their web browsers or communication platforms like Slack or Teams. See how Keep Aware can help you implement this process by meeting with team.