As the data cosmos expands exponentially, organizations are seeking more flexible and efficient ways of working with large amounts of data. Many companies are finding a solution to this challenge in the cloud, and SaaS applications today hold huge amounts of sensitive company data.
SaaS applications can increase productivity and reduce costs, but can also make it difficult for security teams to maintain control and visibility over user access. This, when left unaddressed, increases the risk of falling victim to an account takeover attack. Unfortunately, cybercriminals know that compromising an employee’s account—by manipulating users into giving up credentials through social engineering attacks, or cracking passwords using brute force—is an easy way to steal corporate data, either to hold ransom or to sell on the dark web. They also know how difficult it is to keep track of each user and device accessing your network. Because of this, credential theft attacks have risen by an alarming 55% since the start of the pandemic.
One of the best ways to secure your organization against these threats is by implementing a robust multi-factor authentication (MFA) solution. MFA ensures that bad actors cannot access user accounts, even if their credentials are compromised.
In this guide, we’ll explain how MFA can secure your corporate accounts against credential theft and account takeover. We’ll also outline the key features to look for in an MFA solution, so that you can be confident you’re making the right decision when it comes to protecting your company’s data.
What Is Multi-Factor Authentication?
Multi-factor authentication is an electronic authentication process that requires the user to verify their identity in two or more ways (factors) before they’re granted access to an account or application. There are three factors by which a user can verify their identity:
- Something they know, i.e. a password, a PIN, or the answer to a secret question.
- Something they have, i.e. an authenticator app or a hardware token.
- Something they are, i.e.the user’s biometric information, such as a fingerprint or face scan, or a voice recording.
Implementing MFA prevents bad actors from accessing an employee’s account, even if they manage to compromise that employee’s username and password.
Some vendors offer “free” MFA services in a bundle with other solutions, promising a lower total cost of ownership, which makes them popular among smaller teams. However, these services often don’t include centralized management functionality, making them difficult to deploy across all of the applications that need protection. So, while the MFA service itself may be free, more IT resources are used in deployment and management, causing an increased administrative overhead. It also negatively impacts user experience, resulting in reduced productivity as users struggle to sign into their accounts.
Why Implement Multi-Factor Authentication?
There are a number of key reasons why you should consider implementing an MFA solution:
Secure Against Account Takeover
In today’s digital world, the threat of account takeover, in which a bad actor seizes control of a user’s account, is very real; last year, over 45% of all data breaches involved hacking, and 80% of those involved brute force or the use of lost or stolen credentials, such as ones compromised in social engineering attacks.
In a social engineering or “phishing” attack, the criminal contacts their victim posing as a trusted source, such as a colleague, and manipulates them into handing over sensitive information like login credentials. In a brute force attack, they program a computer to crack their target’s password, starting with the most common letter/number/symbol combinations and working systematically through all possible characters until it finds the right sequence.
These methods are particularly dangerous because they enable the attacker to take full control of their victim’s account, often completely undetected. This gives them access to corporate data, and also enables them to carry out further, internal phishing attacks to take over accounts with increased privileges.
MFA solutions can protect your organization against up to 99.9% of account takeover attempts by ensuring bad actors can’t access employee accounts, even if they manage to steal an employee’s login credentials.
Mitigate Poor Password Practices
As a global workforce, we approach creating passwords with a sense of apathy—“qwerty” and “password1” consistently top lists of the most commonly used passwords around the world. As well as creating weak passwords, many users store and share passwords insecurely, too—particularly when working remotely. 49% of remote workers store their passwords in the cloud, 51% store them in a document saved to their desktop, and 55% store them on their phone.
Poor password practices make it easier for attackers to steal employee credentials and use them to gain access to corporate data. Unfortunately, even the most robust of password policies won’t eliminate these practices completely.
MFA ensures that the security of your employees’ accounts doesn’t rest solely on an insecure password. After all, it’s much more difficult to steal someone’s fingerprint without them noticing than it is to find out their birthday or the name of their pet.
Some MFA solutions come with integrated single sign-on (SSO), which enables users to securely sign into multiple accounts using just one set of login credentials. SSO reduces password fatigue by eliminating the need for users to create and remember a strong, unique password for each of their accounts. It also ensures a seamless, universal login experience for all users across all applications, and makes it easier for admins to configure global access policies for multiple applications.
Secure Against Vulnerability Exploits
It can be difficult to keep on top of your vulnerability patching, particularly in a cloud environment when you’re responsible for patching application vulnerabilities yourself, rather than relying on the vendor to do it for you. However, applications aren’t the only vulnerable part of your network: your employees’ device’s operating systems (OSs) and web browsers also have vulnerabilities and need updating regularly—something many of us don’t keep on top of. Across managed, corporate Android devices, a shocking 48.5% of updates aren’t managed. Of those which are, only 21.2% are made immediately; the rest are deferred or windowed.
But why is vulnerability patching so important?
Well, recent research has found that over 80% of successful breaches are caused by zero-day attacks, which involve either new or evolved malware strains, or the exploitation of vulnerabilities that haven’t been patched.
It’s important to note that not all MFA solutions can mitigate this issue; however few solutions, such as Duo, offer a Device Trust feature that checks the OS and browser versions of the device trying to gain access to a corporate account. If the software is out of date, it is prone to be exploited by a cybercriminal, and the MFA system denies access from that device and informs them how they can perform the necessary updates themselves.
Implement A Zero Trust Approach
Zero trust security is based on the principle that you shouldn’t automatically trust anyone—or anything—with access to your data, no matter whether that person or device be accessing an application from within or outside your organization’s network.
To implement a zero trust approach, organizations should combine layers of solutions and processes that operate in line with the zero trust principle. By nature, MFA solutions follow this principle: they automatically assume that anyone trying to gain access to corporate data could be a bad actor, and ask that person to verify themselves. The strongest MFA solutions take this a step further by enabling admins to create granular access policies, tailored to their organization’s needs.
Gain Better Insights Into Application Access Activity
It’s a mammoth task for security teams to keep track of application access from every user and device, let alone the time and location of each access attempt. But these insights are crucial to detecting account compromise, as well as better managing access to privileged accounts to help prevent the lateral spread of account takeover attacks.
MFA solutions often offer robust reporting functionality that generates deep insights into account usage. Not only are these reports useful for security purposes, but they can also be used for auditing purposes and to prove regulatory compliance.
What Features Should You Look For In An MFA Solution?
Implementing MFA is critical to keeping your corporate data secure. But there are many MFA products on the market, which can make the process of choosing a solution a little overwhelming.
Because of this, we’ve put together a list of the top features to look for in an MFA solution:
Adaptive or “risk-based” authentication creates a seamless login experience for the end user, while ensuring that accounts—particularly privileged accounts—are secured against credential theft and account takeover. It does this by intuitively alerting admins to anomalous login behavior.
Adaptive MFA analyzes each user’s regular login behavior to generate a baseline of “normal” login activity. Then, the solution calculates a risk score for each login attempt in real time, based on contextual factors such as time, location, and device type. The further away these contextual factors are from the user’s “normal” behavior, the higher the risk score. Depending on the solution, the user is then either requested to provide further verification of their identity, or an admin is automatically alerted to the suspicious login behavior so that they can examine it and grant or deny access accordingly. Contrariwise, access requests from the user’s normal device and location, during their regular office hours, to an application they use daily, may be granted without alerting an admin or requesting further verification.
As well as considering the user’s login behavior baseline, adaptive MFA uses admin-configured policies to decide the level of verification necessary. For example, admins may require that all users trying to access a privileged account verify their identity in at least two ways. Admins should also be able to set a limit on the number of allowed failed verification attempts before the user is locked out of the account. This prevents hackers gaining access to an account via brute force.
When implementing adaptive authentication, it’s important that you choose authentication methods that are compatible with your employees and their devices; you can’t expect everyone to be able to scan their fingerprint, for example, if they don’t have a smartphone. Alternative methods include one-time passcodes (OTPs) or hardware tokens, which can either be scanned or used to generate a unique OTP. The best solutions support a variety of authentication methods, which can be applied at a user, application or organization level.
Not all MFA solutions offer this feature, but it’s one that we highly recommend you look for: users should be able to manage their authentication devices and methods themselves. This gives end users the flexibility to choose whichever method works best for them, which streamlines the login process as users can select methods that they’re familiar with.
It also saves help desk resources by reducing the number of tickets raised regarding the need to add or remove a device, or change an authentication method.
SSO enables users to sign in to multiple accounts with one set of login credentials. Once verified at the start of their session with the SSO provider, the user no longer needs to enter credentials for each application they try to access; instead of asking the user to sign in, the applications redirect authentication requests to the SSO provider.
SSO streamlines the login process and reduces user downtime by ensuring that each employee only has to enter their credentials and verify their identity (using MFA) once during their session. It mitigates the risks associated with poor password practices by eliminating the need for each user to create and remember complex passwords for each of their accounts; with SSO, they need only remember one password.
As well as streamlining the login process for end users, SSO can improve your organization’s overall account security posture by automatically applying MFA to all corporate accounts. This gives admins more control and visibility into account access, by enabling them to easily view and manage access for all connected applications via one interface.
Simplified Management And Policy Configuration
It’s more important than ever for admins to be able to manage their security solutions easily. The management console should provide admins with an overview of authentication processes across the organization at a high level, and enable them to generate reports into user access at a per-user and per-application level.
As well as generating reports, admins should be able to configure authentication policies from the management console. The most efficient policy configuration tools enable the setup of global and per-application policies via a configuration wizard. Some solutions, like Duo, also enable admins to set policies according to user and device. We recommend that you choose a solution that enables you to configure policies around the methods of authentication you’d like users to use, the number of failed access attempts that are allowed before the user is locked out, and adaptive authentication policies that help you to keep tighter control of access to your privileged accounts.
Additionally, admins should be able to manage their MFA subscription from the console, including adding and removing applications and users.
Deployment And Integration
Most MFA solutions deploy in the cloud, which makes them quicker to set up and enables admins to on-board users without installing any on-premises software. The best cloud-based MFA solutions also integrate with custom applications, on-premises and hybrid environments.
It’s important that your chosen solution integrates with your user directory for a more streamlined onboarding and user deactivation process. It should also integrate with all of your existing cloud and web applications, particularly if you’re planning on implementing SSO. MFA solutions often offer a wide range of out-of-the-box integrations with popular applications such as the Office 365 Suite and Salesforce, and some also enable you to create custom integrations with more industry-specific applications.
Duo Security is a market-leading vendor specializing in user authentication, access management and zero trust. They offer a suite of subscription-based, cloud-deployed MFA solutions that come in four plans, ranging from Duo Free, for small teams, to Duo Beyond, for large enterprises. This means that organizations of any size, form any industry, can utilize Duo’s robust security features.
Duo MFA And SSO
At the core of Duo’s platform is a combination of powerful adaptive MFA and SSO functionality. Duo supports a wide variety of authentication methods, including hardware tokens, one-time passcodes, FIDO 2 security keys, biometric authentication (where compatible with the user’s device) and via their own Duo Push mobile app. Duo Push enables users to quickly and easily verify their identity by “approving” a push notification sent directly to their cell phone. If a user is sent notification of a login attempt that they didn’t request themselves, they can “deny” that attempt, preventing the imposter from accessing their account.
Once signed in and verified, Duo’s cloud-based SAML 2.0 SSO grants users streamlined access to all of their applications for the remainder of their session, without them having to re-enter login credentials. This ensures protection against credential theft and account takeover, while giving users quick, easy access to their corporate accounts.
Duo Admin Console
From the management console, admins are given an overview of their Duo subscription, including the number of active users and devices and the organization’s current state of authentication.
Admins can configure granular authentication policies at a global, per-application and per-user level. The Trust Monitor feature alerts admins to anomalous access attempts based on contextual information such as who the user is, what application they’re trying to access, from which device, at what time, from where and using which method of authentication.
Duo’s Device Trust feature restricts access when a user’s device doesn’t meet the organizations security requirements, e.g. device not enrolled in the corporate device management system; when the device’s operating system or browser are out of date; and security settings—such as firewalls, password and disk encryption are not enabled. When a user attempts to sign in, Duo analyzes their device’s health posture in line with these requirements, preventing users from accessing sensitive corporate data via devices with out-of-date operating systems, browsers or software. This prevents attackers from gaining access to corporate accounts by exploiting known vulnerabilities.
If an access request is denied due to the device’s health posture, Duo informs the user on how they can remediate the security issue themselves via the self-service portal. With the self-service portal enabled, users can manage their own authentication devices and methods, as well as remediate authentication issues caused by device health. This saves IT help desk resources, freeing up admin time to focus on management and analytics.
Duo Deployment And Integration
Duo deploys in the cloud and supports integration with Microsoft Active Directory, Azure Active Directory and OpenLDAP directory. This streamlines the user onboarding process, making it quick to set up account protection organization-wide. It also means that users who are removed from the directory are automatically removed from the company’s Duo subscription, which can help save costs as all Duo plans are subscription-based per user.
Duo also offers out-of-the-box integrations with hundreds of popular workplace applications via the Duo Security API. Admins can also create custom integrations with SAML 2.0-enables cloud applications. This means that admins can secure and manage access to all of their existing applications, and users need only authenticate themselves at the beginning of their session in order to access all of their workplace apps.
Your corporate accounts are the gateways to your kingdom of data; anyone who enters those accounts has free access to the data stored within. Unfortunately, bad actors know this, and they’re continuously developing ways to steal employee credentials to hack into—and take over—their accounts, often undetected by security teams until it’s too late.
One of the most secure and cost-effective ways to protect your corporate data against account takeover is by implementing a strong MFA solution that will prevent bad actors from accessing your users’ accounts, even if they manage to get hold of an employee’s login credentials. As well as securing your organization against sophisticated cyberattacks, an MFA solution can greatly streamline the login process across your organization, reducing down-time and helping to boost productivity by reducing password reset requests. This also reduces the number of help desk support tickets, freeing up valuable admin resources that could be spent elsewhere.
Duo Security’s solution offers secure, streamlined access to all of your corporate accounts and applications. The solution is compatible with a wide range of authentication methods and comes with hundreds of out-of-the-box integrations, making it highly flexible to meet the precise needs of your organization.