To meet the increasing cyber security challenges posed by the growth of cloud technology and remote working environments, many enterprises turn to Multi-Factor Authentication, or MFA, as an important line of defence. Yet despite the undoubted security benefits, MFA alone cannot fully protect organisations from unauthorised access to applications.
Password-based authentication has proven inadequate to cope with the security challenges posed by the proliferation of cloud technology. With the average enterprise using 288 different cloud apps, employees are simply required to remember too many passwords, resulting in poor cyber security practices. Passwords that are weak, easy to guess, written down or reused all pose significant security risks from phishing, brute force attacks, and credential-stuffing.
MFA adds an additional layer of security to the authentication process, in an attempt to secure applications from malicious actors who will attempt to take advantage of weak passwords. While an attacker may be able to compromise the credentials for a user, they will not be able to use them to gain access to the app or network if they do not have the additional factor of authentication.
A number of factors at work in organisations limit the effectiveness of MFA to fully protect all applications in use. Here are some of the ways in which MFA can fail to protect organisations from data breaches.
While MFA may protect individual apps from being exploited when credentials become compromised, it does nothing to prevent the passwords from being stolen themselves. Since passwords are commonly reused by employees, these stolen credentials could then be used to gain unauthorised access to other apps within the organisation which, for a variety of reasons, may not be protected by MFA. Additionally, compromised credentials will still have to be reported in security audits and to regulators, regardless of the protection offered by MFA.
MFA cannot be implemented on applications that IT have no knowledge or oversight of. According to McAfee, Shadow IT usage is at least ten times greater than known cloud usage, meaning that IT departments often only have control over a small number of applications in use. Without visibility or knowledge of these apps, MFA cannot be implemented or enforced, leaving organisations exposed to all of the problems with password-based authentication.
The undoubted security benefits of MFA often come at the cost of end-user friction. MFA can be frustrating, disruptive and time-consuming for users, when they are attempting to access applications to do their job. Due to the large number of applications in use by employees, even a small increase in the time taken to sign into applications can have a significant effect on employee productivity. As a result, MFA can often be unpopular among end users, who can attempt to circumvent it by using alternative cloud applications, finding workarounds or requesting exceptions.
With the increased prevalence of remote and hybrid working environments, Shadow IT, and Bring-Your-Own-Device policies, users can also find it easier to disable or opt out of MFA requirements.
User exceptions are often granted due to lost, broken, or stolen devices, technical issues, complaints from staff, or for third parties. Once an exception has been made, there is a significant likelihood that it may remain in place for an extensive period of time, particularly since user friction will often deter employees from requesting that MFA be reinstated. One investigation by the New York State Department of Financial Services found that 64% of regulated entities which were required to use MFA had some gap in their coverage, leaving applications open to attack with compromised credentials.
While the factors of authentication introduced by MFA solutions are typically more difficult to compromise than credentials, they are not impervious to determined attackers. SMS messages can be intercepted by SIM hacking, email accounts can have their credentials compromised, and even smart cards can have their password hashes compromised or be exploited by pass-the-ticket attacks, allowing access without possession of the device.
While MFA can reduce the likelihood of passwords causing a data breach for the apps it is enforced on, it does not fully protect against attacks leveraging credentials, or prevent them from being compromised in the first place. MFA is only effective when it is active for an application, and necessary exceptions and natural gaps in coverage due to incompatibility, ineffective provisioning, or the sheer number of apps in use will frequently result in apps remaining vulnerable to attacks using compromised credentials. MFA operates as a safety net to protect against the issues posed by credentials, but it does not tackle the problem at source.
An IAM solution helps overcome the deficiencies of MFA implementation and maximise its effectiveness. IAM eliminates the problem of Shadow IT, providing the organisation with visibility of the applications in use, enabling consideration to be given to the apps where MFA should be enforced. Password reuse is also eliminated, mitigating the risk of compromised credentials being used on apps unprotected by second factor. The streamlining of the authentication process for users provided by IAM helps negate user circumvention, or exception requests by reducing user friction, enabling more comprehensive protection by MFA.
Additionally, leveraging the passwordless capability of IAM can negate the need for MFA at app level, as there are no credentials to be compromised, further reducing user friction and enabling secure access without the user burden of additional factors for specific apps.
Ultimately, an IAM solution tackles the fundamental problem that MFA sets out to solve – compromised credentials enabling unauthorised access to applications – and allows MFA to be applied where required in a more effective way, tackling the root cause of the most common form of cyber-attack, and significantly reducing the attack surface available to malicious actors.
Find out more about how IAM can prevent data breaches here.