The value of multifactor authentication (MFA) is illustrated by a recently published report by Microsoft’s security team about a multi-stage, large-scale phishing campaign that was effective only against organizations without MFA.
In these attacks, the bad actors first stole victims’ credentials using a fake DocuSign phish that directed them to a spoofed Office 365 login. The attackers then exploited the prevalence of BYOD policies to register their own devices on the target network using the stolen credentials.
However, because properly deployed MFA prevents attackers from using stolen credentials to access devices or networks, those organizations using MFA were safe because the attackers were not able to move forward with the second stage of the attack to expand their presence on the targeted network and propagate the attack further.
The Microsoft security team said the attacks demonstrated just how flawed the use of usernames and passwords is as a method for authentication, but noted that the reliance on this model is still far too common.
The most commonly cited reasons are that MFA is too complex, that users find MFA inconvenient and cumbersome, and that implementing it is costly and risks causing significant helpdesk cost. However, MFA options and methods are continually improving and becoming more affordable, which means that the opposite is true.
In fact, when done correctly, MFA – like many other approaches to passwordless authentication – enables organizations to combine security and convenience without compromise to either.
In the light of the proven security benefits of MFA, there is now really little excuse for enterprises not to adopt MFA to improve security immediately and to begin the move to eliminating passwords altogether.
Passwordless authentication is easier and more secure due to the use of simplified and established biometric authentication to smartphones, for example, and strong security for the device binding, with the device as the second factor of authentication.
The facts are that on the one hand credential compromise is one of the most common ways attackers use to gain access to enterprise networks, organizations of all sizes are being targeted in this way, and continued use of passwords for authentication can lead to lack of trust.
On the other hand, authentication system and service upgrades are probably not as expensive as you think, the risk of compromise and fraud can be used to offset the cost, and advances in MFA systems means that even legacy LoB applications can be covered and that it has never been easier to make the switch, especially with the arrival of high assurance mobile MFA solutions.
Companies and other organizations that are looking to modernize their Identity & Access Management (IAM) solutions and authentication services should familiarize themselves with increasingly wide range of MFA solutions available and choose one that best meets their needs.
MFA is the leading concept for implementing strong authentication, which is defined as the combination of two or more of the following: something you know, something you have, or something you are. MFA is one of the best ways to reduce cybercrime and fraud, particularly account takeover (ATO) fraud. But we still enter passwords every single day.
— John Tolbert, Lead Analyst, KuppingerCole
Because we understand the importance of effective and secure authentication, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.
MFA is an important topic and will be addressed at the 2022 KuppingerCole European Identity and Cloud (EIC) conference taking place in Berlin and online in May. The agenda includes this panel discussion on MFA Usage in the Enterprise, this presentation entitled: MFA, (E-)SSO & Passwordless in Hybrid & Multi-Cloud, and this keynote on the Key Requirements for Next Generation MFA.
Our analysts have written several blogs relating either directly or indirectly to MFA. Have a look at the titles below and choose those that are most appropriate to your organization:
- Has Your Organization Rolled Out MFA Yet?
- High Assurance MFA Options for Mobile Devices
- Free MFA on Windows for the masses
- PSD II, Adaptive Authentication, and Multi-Factor Authentication
- Authentication and Education High on CISO Agenda
- Account Takeovers on the Rise
If you would prefer to listen to what our analyst have to say on MFA-related topics, have a listen to this Analyst Chat about the implications of security products not having their administrative interfaces sufficiently secured with technologies like MFA in and episode entitled: When is a Security Product not a Security Product?
Choose also from other MFA-related Analyst Chats entitled: Enterprise Authentication - an Updated Look at That Market Segment, and How to Protect Data in a Hostile World.
The rapid adoption of cloud is prompting organizations to rethink their requirements for authenticating employees, partners, and suppliers. For some perspectives on MFA in this context, listen to this EIC panel discussion entitled: Is Traditional MFA the Right Solution in a Post-COVID World?
MFA has been the direct and indirect topic of several webinars. To find out more about why passwords are not secure enough and how they can be replaced by MFA, have a look at this webinar entitled: It’s Time to Forget Your Password and Settle for Multi-Factor Authentication and this webinar entitled: We Need to Talk About Passwords – Urgently!
Find out why MFA, particularly for consumers, allows password polices to be more user friendly in this webinar entitled: No Real Security Without Multi-Factor Authentication Everywhere and this webinar entitled: Consumer identity management evolution.
Have a look at the following list of webinars that all related to MFA in some way, and choose the topics that are of most relevance and interest to you and your organization:
- Extending Beyond the Limits of Multi-Factor Authentication With Continuous Adaptive Trust
- Technological Approaches to a Zero Trust Security Model
- Accelerate Your Digital Transformation Through Identity
- Remote Workforce: How to Protect Yourself From Emerging Threats?
- Techniques for Securing Transactions With Identity Verification and Verifiable Claims
- Reduce Dependency on Active Directory With Cloud Identity
Find our more about MFA in the context of trusted and validated identities in this Whitepaper entitled: A World with Validated Identities.
Organizations looking to make investments in MFA-related solutions and seeking insights around the leaders in innovation and product features, can have a look at these Leadership Compasses on:
- Cloud-based MFA Solutions
- Enterprise Authentication Solutions
- Network Detection & Response (NDR)
- Fraud Reduction Intelligence Platforms
For insights around products specifically around Access Management products relating to MFA, have a look at these Leadership Compasses on:
For insights around products relating to MFA in the context of consumer or customer identity, have a look at these Leadership Compasses on:
Organizations investing in technologies to support MFA can have a look at some of the related technology solutions that we have evaluated:
- Hitachi ID Bravura Security Fabric
- Deduce Customer Alerts and Identity Insights
- OneWelcome Customer Identity and B2B identity
- Keyless Biometric Authentication
- PortSys Total Access Control
- Google’s Cloud Identity
- Duo Security
- Atos Evidian IDaaS
- Sophos Intercept X
- Auth0 Authentication Service
- CA Privileged Acces Management Suite
- NRI SecureTechnologies: Uni-ID Libra 2.0