The notorious SolarWinds hack that compromised more than 30,000 public and private organizations in 2020 was the “most sophisticated attack the world has ever seen,” according to Microsoft President Brad Smith.
However, there was nothing sophisticated about the flaw that allowed the attack — a weak password (solarwinds123) that exposed the company’s update server.
We’ve known for years that passwords alone no longer provide sufficient protection from unauthorized access. Data breach studies consistently find that about 80 percent of all breaches can be traced to weak, stolen or compromised passwords.
We also know that multifactor authentication (MFA) enhances security by reducing reliance on passwords. However, two recent reports find that surprisingly few organizations are using this basic but essential tool.
Multifactor Authentication Adoption Lags
Microsoft reports that 78 percent of organizations using Azure Active Directory (AAD) haven’t implemented MFA for their user accounts. As a result, company officials say, those accounts are experiencing up to 600 password attacks every second!
Some say MFA processes requiring two or more validation steps to access online accounts and network resources are simply too inconvenient for users. In a recent Experian survey of U.S. business leaders, most said they were willing to accept more risk to avoid disrupting the user experience.
However, we’ve reached a tipping point where access controls are concerned. In today’s remote and hybrid work environments, data is being created and housed across multiple data centers, cloud platforms, edge servers and endpoint devices. Analysts say that as much as half of all data is now created outside the data center and will likely increase to more than 70 percent over the next two years. Organizations must implement stronger controls to protect these widely distributed data sources.
How Multifactor Authentication is Done
The protection offered by requiring a second authentication factor is well worth the minor inconvenience. Cybersecurity pros say MFA solutions can block more than 99 percent of identity-compromise attacks. Here are some of the most effective methods for provisioning an additional factor:
Multifactor authentication (MFA) enhances security by reducing reliance on passwords.
- Phone authentication. Sending a confirmation code to a user’s mobile phone is probably the most common secondary authentication technique. Users receive one-time passwords or PINs via text messages generated through lightweight mobile apps. Because passwords or PINs are randomly generated and encrypted, they are more secure than codes stored on the device or in a vendor’s database.
- Authentication apps. Applications such as Google Authenticator, Lastpass, Authy, Duo and Microsoft Authenticator are installed on mobile phones and generate real-time codes that change every 30 seconds. This method is more secure than a text message because it eliminates the possibility of the code being intercepted by a man-in-the-middle attack.
- Push notifications. In this method, a push notification is sent directly to a secure application on the user’s device, alerting them that an authentication attempt is taking place. Users can view authentication details and approve or deny access with a press of a button, without the need to type in a code.
- Hardware tokens. These are small devices that generate one-time codes based on a cryptographic key stored inside the device. Programmable tokens allow users to change the code for repeated use. Since tokens have no Internet connections, they are generally very secure options.
Of course, each of these approaches still requires a password as one verification factor. As such, organizations must continue to encourage the use of strong passwords or passphrases that are difficult to crack.
To learn more about protecting user accounts with MFA, give us a call. The GDS security team is here to help you implement security controls and best practices that don’t impair the user experience.