Better Together: How MFA and Strong Password Practices Can Help Bolster Security
Edge2Edge Media via Unsplash
It is commonly known that relying solely on a username and password is insufficient to safeguard an account from cyber-attacks. Without a secondary layer of protection, there’s an increased risk of account takeover and compromise. For organizations, this could mean that sensitive company data is at risk of being exfiltrated, systems are at risk of being infected with malware, and stolen credentials could be used to launch attacks on other systems.
The consequences of a cyberattack can be devastating for an organization’s reputation, finances, and customers. To combat this, many organizations use multi-factor authentication (MFA) to add an extra layer of protection to accounts. However, as threats become more sophisticated, cybercriminals are finding ways to get around previously robust MFA measures with increasing ease. This poses the question: is MFA enough to protect against modern threats?
MFA Compromise: Understanding the ‘How’
First, security teams must understand techniques used by cybercriminals to exploit users in MFA attacks and the potential consequences for their organization. Human errors frequently play a role in making MFA attacks possible. For example, MFA fatigue attack (or prompt bombing) is when an attacker floods a user with multiple MFA prompts, causing the user to approve a login request to stop the notifications. These types of attacks play on the frustration of getting bombarded with messages.
MFA attacks are also happening in high-profile hacks as well. In recent years, cybercriminals have exploited helpdesks through social engineering support staff into bypassing MFA requirements or resetting user credentials. These cybercriminals rely on the empathy of helpdesk staff by impersonating distressed employees. This happened in the case of the 2023 MGM hack, which cost the organization around $100 million. This incident highlights how human error is often found at the center of MFA-related attacks. It also shows that users should not only use MFA to keep hackers away. Human error can undermine the effectiveness of even the most stringent password policies and MFA measures.
Similarly, cybercriminals sometimes target vulnerabilities and privileged accounts to gain access to a system. Cybercriminals have been known to exploit vulnerabilities in web session management, performing session hijacking. They acquire a legitimate user's session ID, a token used for authentication, allowing them to impersonate the user and control their active session. Additionally, some hackers have bypassed MFA by exploiting Single Sign-On (SSO) systems, which allows hackers to access multiple services through a single account. This can be done through the session hijacking.
With both tech and humans exploited in MFA related attacks, is it still worth using MFA? The short answer: yes.
Should My Organization Still Use MFA?
MFA remains an important security measure for organizations and should not be neglected. It provides organizations with a back-up defense against poor passwords and weak logins.
Critically, MFA adds a necessary layer of security that mitigates excess risk, like phishing and stolen credentials being used to access an account easily. Ultimately, MFA makes it harder for attackers to successfully access an account, even though it can be exploited. For some hackers, the amount of effort needed to exploit MFA is enough to abandon efforts altogether, although MFA should not be relied upon to stop this.
In some cases, MFA is also essential for compliance. Many industries have strict data security regulations that can be met by employing MFA, helping organizations avoid potential fines and legal issues. For example, PCI DSS mandates MFA for admin access to cardholder data environments, protecting sensitive payment card information from being compromised. Similarly, HIPAA requires healthcare organizations to implement access controls to safeguard ‘Protected Health Information’ (PHI), which can be met by employing MFA measures.
Layering Security: Back to Basic Password Security
Although MFA is beneficial for password security, the significance of implementing basic password policies cannot be emphasized enough. Since many systems rely on passwords, ensuring strong password policies is crucial for maintaining overall security. In the case of MFA, typically passwords are required to initiate the MFA process. Making passwords harder to guess reduces the risk of a hacker successfully getting to the point of needing to bypass MFA. As a result, organizations should not rely solely on a passwordless factor like a pin or biometric factor.
Organizations should educate users on the importance of strong passwords and good password hygiene. Users should be taught that MFA is not infallible and should not be relied upon to keep an account secure. Good passwords make it harder to access an account in the first place. Education is one way to build a strong, company wide security culture. A strong security culture emphasizes the significance of protecting crucial information, as employees recognize the worth of data and comply with recommended methods.
Similarly, organizations should put in place a robust recovery procedure in case MFA is lost. MFA failures can include users losing their phones or having an MFA device compromised. Strong passwords can work here as a backup to regain account access. Ultimately, layered security is key, with no one layer held solely accountable for protecting an account entirely.
Passwords and MFA: Working Together
MFA is undeniably a critical component of a strong security strategy. However, it should not be relied upon heavily to stop cybersecurity incidents. By fostering a strong security culture through education and policies, users can understand the importance of layered security. Ultimately, passwords and MFA work in tandem to provide a robust defense. If one layer fails, the other can still provide protection. A strong security strategy should be multi-layered and not put the onus on humans or tech entirely.
