Without multi-factor authentication, if your employees fall for phishing scams or if they share passwords, your organization becomes open to attacks.

The risk of compromised credentials is considered to be one of the biggest security threat today and for good reasons. When a hacker is able to compromise credentials, he is now in possession of stolen but legitimate and valid login details. It then becomes very difficult to detect an attack as all of your security solutions and tools will consider that the person logging in is exactly who they say they are.

IS Decisions’ research into the access security priorities of 500 IT Security Managers in the US and UK

Despite the risk, most organizations are still going the wrong way about password security.

Our research from a few years ago showed that only 38% of organizations use MFA. Today, sadly, things haven’t really changed according to some more recent studies.

Why the hesitation in adopting MFA?

MFA is only for big companies

Many companies wrongly think that MFA is only for businesses of a certain size. Well, they’re wrong. Every company, regardless of size, should use MFA as part of their security strategy. The data they want to protect is as sensitive and the disruption as serious. MFA doesn’t have to be complicated, costly or frustrating!  

MFA is only to protect privileged users

Once again, wrong. For many organizations, using MFA seems a little bit too much. They consider most of their users as not having access to valuable data so relying on local Windows credentials seems enough. What they don’t see is that those ‘non-privileged’ users have access to a large amount of information that can do some harm. Take a nurse for example, what if she was to sell a celebrity patient’s data to a paper? Here you can see the value of the data and the damage it can do when used inappropriately.

Also, it’s actually pretty rare for an attacker to start with a privileged account. Most cyber criminals start with an easy victim to then move laterally within the network until they can find valuable information to exfiltrate.

MFA isn’t perfect!

You are right, MFA, like any other security solution, is not perfect but it’s close. A warning has been published by the FBI last month about recent events where hackers were able to bypass MFA. The two main authenticator vulnerabilities are ‘Channel Jacking’, which involves takeover of the communication channel used for the authenticator ⁠and ‘Real-Time Phishing’, ⁠which involves using a machine-in-the-middle in order to intercept and replay authentication messages. For this kind of attacks, experts agree that high costs and effort are needed. In most cases, cyber criminals who encounter MFA will move on to an easier target rather than try to bypass this security measure. To avoid certain vulnerabilities, you can also take some simple precautions. As a first step, you can choose MFA authenticators that do not rely on SMS. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines).

The FBI still maintains that multifactor authentication is effective and is one of the easiest steps to improve an organization’s security.

MFA is disruptive for employees’ productivity

It really is up to you. It’s always a challenge, when implementing any new technology, to try and least disrupt employee’s productivity. This is why, flexibility is needed for any MFA solution. Administrators may want to avoid prompting the user for MFA each time they log in. A great way to do this is to improve identity assurance with contextual controls. Transparent to the end-user they make use of environment information to further verify all users’ claimed identity but don’t impede on employee productivity. Contextual factors can include location, machine, time, session type and number of simultaneous sessions.

Compromised credentials can happen to everyone – both privileged and non-privileged alike. Adopting an MFA solution should be a key security initiative for any company, regardless of size and can be one of the easiest and simplest ways to keep accounts protected. Discover how UserLock makes it easy to enable MFA and context access management on a Windows Active Directory environment.

About The Author

François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues. 

IS Decisions is a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. The company offers solutions for user-access control, file auditing, server and desktop reporting, and remote installations.

 Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies; and save time and money for the IT department.