Business Guide To Multi-Factor Authentication (MFA)
How to protect your organization against credential theft and account takeover attacks with MFA.
As the data cosmos expands exponentially, organizations are seeking more flexible and efficient ways of working with large amounts of data. Many companies are finding a solution to this challenge in the cloud, and SaaS applications today hold huge amounts of sensitive company data.
SaaS applications can increase productivity and reduce costs, but can also make it difficult for security teams to maintain control and visibility over user access. This, when left unaddressed, increases the risk of falling victim to an account takeover attack. Unfortunately, cybercriminals know that compromising an employee’s account—by manipulating users into giving up credentials through social engineering attacks, or cracking passwords using brute force—is an easy way to steal corporate data, either to hold ransom or to sell on the dark web. They also know how difficult it is to keep track of each user and device accessing your network. Because of this, credential theft attacks have risen by an alarming 55% since the start of the pandemic.
One of the best ways to secure your organization against these threats is by implementing a robust multi-factor authentication (MFA) solution. MFA ensures that bad actors cannot access user accounts, even if their credentials are compromised.
In this guide, we’ll explain how MFA can secure your corporate accounts against credential theft and account takeover. We’ll also outline the key features to look for in an MFA solution, so that you can be confident you’re making the right decision when it comes to protecting your company’s data.
What Is Multi-Factor Authentication?
Multi-factor authentication is an electronic authentication process that requires the user to verify their identity in two or more ways (factors) before they’re granted access to an account or application. There are three factors by which a user can verify their identity:
- Something they know, i.e., a password, a PIN, or the answer to a secret question.
- Something they have, i.e., an authenticator app or a hardware token.
- Something they are, i.e., the user’s biometric information, such as a fingerprint or face scan, or a voice recording.
Implementing MFA prevents bad actors from accessing an employee’s account, even if they manage to compromise that employee’s username and password.
Some vendors offer “free” MFA services in a bundle with other solutions, promising a lower total cost of ownership, which makes them popular among smaller teams. However, these services often don’t include centralized management functionality, making them difficult to deploy across all of the applications that need protection. So, while the MFA service itself may be free, more IT resources are used in deployment and management, causing an increased administrative overhead. It also negatively impacts user experience, resulting in reduced productivity as users struggle to sign into their accounts.
Why Implement Multi-Factor Authentication?
There are a number of key reasons why you should consider implementing an MFA solution:
Secure Against Account Takeover
In today’s digital world, the threat of account takeover, in which a bad actor seizes control of a user’s account, is very real; last year, over 45% of all data breaches involved hacking, and 80% of those involved brute force or the use of lost or stolen credentials, such as ones compromised in social engineering attacks.
In a social engineering or “phishing” attack, the criminal contacts their victim posing as a trusted source, such as a colleague, and manipulates them into handing over sensitive information like login credentials. In a brute force attack, they program a computer to crack their target’s password, starting with the most common letter/number/symbol combinations and working systematically through all possible characters until it finds the right sequence.
These methods are particularly dangerous because they enable the attacker to take full control of their victim’s account, often completely undetected. This gives them access to corporate data, and also enables them to carry out further, internal phishing attacks to take over accounts with increased privileges.
MFA solutions can protect your organization against up to 99.9% of account takeover attempts by ensuring bad actors can’t access employee accounts, even if they manage to steal an employee’s login credentials.
Mitigate Poor Password Practices
As a global workforce, we approach creating passwords with a sense of apathy—“qwerty” and “password1” consistently top lists of the most commonly used passwords around the world. As well as creating weak passwords, many users store and share passwords insecurely, too—particularly when working remotely. 49% of remote workers store their passwords in the cloud, 51% store them in a document saved to their desktop, and 55% store them on their phone.
Poor password practices make it easier for attackers to steal employee credentials and use them to gain access to corporate data. Unfortunately, even the most robust of password policies won’t eliminate these practices completely.
MFA ensures that the security of your employees’ accounts doesn’t rest solely on an insecure password. After all, it’s much more difficult to steal someone’s fingerprint without them noticing than it is to find out their birthday or the name of their pet.
Some MFA solutions come with integrated single sign-on (SSO), which enables users to securely sign into multiple accounts using just one set of login credentials. SSO reduces password fatigue by eliminating the need for users to create and remember a strong, unique password for each of their accounts. It also ensures a seamless, universal login experience for all users across all applications, and makes it easier for admins to configure global access policies for multiple applications.
Secure Against Vulnerability Exploits
It can be difficult to keep on top of your vulnerability patching, particularly in a cloud environment when you’re responsible for patching application vulnerabilities yourself, rather than relying on the vendor to do it for you. However, applications aren’t the only vulnerable part of your network: your employees’ device’s operating systems (OSs) and web browsers also have vulnerabilities and need updating regularly—something many of us don’t keep on top of. Across managed, corporate Android devices, a shocking 48.5% of updates aren’t managed. Of those that are, only 21.2% are made immediately; the rest are deferred or windowed.
But why is vulnerability patching so important?
Well, recent research has found that over 80% of successful breaches are caused by zero-day attacks, which involve either new or evolved malware strains or the exploitation of vulnerabilities that haven’t been patched.
It’s important to note that not all MFA solutions can mitigate this issue; however, some solutions offer a feature that checks the OS and browser versions of the device trying to gain access to a corporate account. If the software is out of date, it is prone to be exploited by a cybercriminal, and the MFA system denies access from that device and informs them how they can perform the necessary updates themselves.
Implement A Zero Trust Approach
Zero trust security is based on the principle that you shouldn’t automatically trust anyone—or anything—with access to your data, no matter whether that person or device is accessing an application from within or outside your organization’s network.
To implement a zero trust approach, organizations should combine layers of solutions and processes that operate in line with the zero trust principle. By nature, MFA solutions follow this principle: they automatically assume that anyone trying to gain access to corporate data could be a bad actor, and ask that person to verify themselves. The strongest MFA solutions take this a step further by enabling admins to create granular access policies, tailored to their organization’s needs.
Gain Better Insights Into Application Access Activity
It’s a mammoth task for security teams to keep track of application access from every user and device, let alone the time and location of each access attempt. But these insights are crucial to detecting account compromise, as well as better managing access to privileged accounts to help prevent the lateral spread of account takeover attacks.
MFA solutions often offer robust reporting functionality that generates deep insights into account usage. Not only are these reports useful for security purposes, but they can also be used for auditing purposes and to prove regulatory compliance.
What Features Should You Look For In An MFA Solution?
Implementing MFA is critical to keeping your corporate data secure. But there are many MFA products on the market, which can make the process of choosing a solution a little overwhelming.
Because of this, we’ve put together a list of the top features to look for in an MFA solution:
Adaptive Authentication
Adaptive or “risk-based” authentication creates a seamless login experience for the end user, while ensuring that accounts—particularly privileged accounts—are secured against credential theft and account takeover. It does this by intuitively alerting admins to anomalous login behavior.
Adaptive MFA analyzes each user’s regular login behavior to generate a baseline of “normal” login activity. Then, the solution calculates a risk score for each login attempt in real time, based on contextual factors such as time, location, and device type. The further away these contextual factors are from the user’s “normal” behavior, the higher the risk score. Depending on the solution, the user is then either requested to provide further verification of their identity, or an admin is automatically alerted to the suspicious login behavior so that they can examine it and grant or deny access accordingly. Contrariwise, access requests from the user’s normal device and location, during their regular office hours, to an application they use daily, may be granted without alerting an admin or requesting further verification.
As well as considering the user’s login behavior baseline, adaptive MFA uses admin-configured policies to decide the level of verification necessary. For example, admins may require that all users trying to access a privileged account verify their identity in at least two ways. Admins should also be able to set a limit on the number of allowed failed verification attempts before the user is locked out of the account. This prevents hackers gaining access to an account via brute force.
When implementing adaptive authentication, it’s important that you choose authentication methods that are compatible with your employees and their devices; you can’t expect everyone to be able to scan their fingerprint, for example, if they don’t have a smartphone. Alternative methods include one-time passcodes (OTPs) or hardware tokens, which can either be scanned or used to generate a unique OTP. The best solutions support a variety of authentication methods, which can be applied at a user, application or organization level.
Self-Service Authentication
Not all MFA solutions offer this feature, but it’s one that we highly recommend you look for: users should be able to manage their authentication devices and methods themselves. This gives end users the flexibility to choose whichever method works best for them, which streamlines the login process as users can select methods that they’re familiar with.
It also saves help desk resources by reducing the number of tickets raised regarding the need to add or remove a device, or change an authentication method.
Single Sign-On
Single sign-on (SSO) enables users to sign in to multiple accounts with one set of login credentials. Once verified at the start of their session with the SSO provider, the user no longer needs to enter credentials for each application they try to access; instead of asking the user to sign in, the applications redirect authentication requests to the SSO provider.
SSO streamlines the login process and reduces user downtime by ensuring that each employee only has to enter their credentials and verify their identity (using MFA) once during their session. It mitigates the risks associated with poor password practices by eliminating the need for each user to create and remember complex passwords for each of their accounts; with SSO, they need only remember one password.
As well as streamlining the login process for end users, SSO can improve your organization’s overall account security posture by automatically applying MFA to all corporate accounts. This gives admins more control and visibility into account access, by enabling them to easily view and manage access for all connected applications via one interface.
Simplified Management And Policy Configuration
It’s more important than ever for admins to be able to manage their security solutions easily. The management console should provide admins with an overview of authentication processes across the organization at a high level, and enable them to generate reports into user access at a per-user and per-application level.
As well as generating reports, admins should be able to configure authentication policies from the management console. The most efficient policy configuration tools enable the setup of global and per-application policies via a configuration wizard. Some solutions also enable admins to set policies according to user and device. We recommend that you choose a solution that enables you to configure policies around the methods of authentication you’d like users to use, the number of failed access attempts that are allowed before the user is locked out, and adaptive authentication policies that help you to keep tighter control of access to your privileged accounts.
Additionally, admins should be able to manage their MFA subscription from the console, including adding and removing applications and users.
Deployment And Integration
Most MFA solutions deploy in the cloud, which makes them quicker to set up and enables admins to on-board users without installing any on-premises software. The best cloud-based MFA solutions also integrate with custom applications, on-premises and hybrid environments.
It’s important that your chosen solution integrates with your user directory for a more streamlined onboarding and user deactivation process. It should also integrate with all of your existing cloud and web applications, particularly if you’re planning on implementing SSO. MFA solutions often offer a wide range of out-of-the-box integrations with popular applications such as the Microsoft 365 Suite and Salesforce, and some also enable you to create custom integrations with more industry-specific applications.
Summary
Your corporate accounts are the gateways to your kingdom of data; anyone who enters those accounts has free access to the data stored within. Unfortunately, bad actors know this, and they’re continuously developing ways to steal employee credentials to hack into—and take over—their accounts, often undetected by security teams until it’s too late.
One of the most secure and cost-effective ways to protect your corporate data against account takeover is by implementing a strong MFA solution that will prevent bad actors from accessing your users’ accounts, even if they manage to get hold of an employee’s login credentials. As well as securing your organization against sophisticated cyberattacks, an MFA solution can greatly streamline the login process across your organization, reducing downtime and helping to boost productivity by reducing password reset requests. This also reduces the number of help desk support tickets, freeing up valuable admin resources that could be spent elsewhere.
To find the best MFA solution for your business, check out our guide to the top MFA solutions currently on the market.