The misperception of Multifactor Authentication


If you want to prevent unauthorized access, multi-factor authentication (MFA) is one of the most effective measure your organization can implement. The reality is that without MFA, the other security measures you have in place can be circumvented.

One of the most potentially dangerous threat to a business today is poor login security. Actually, a recent report shows that 81% of breaches leveraged either stolen or weak passwords. The problem with these attacks is that they are very hard to detect. The attacker is in possession of valid credentials, why would any security tool detect anything uncommon? When a user logs in, your security solutions assume that the person who’s logging in is who they claim to be.

Despite knowing the threat, many businesses still don’t take password security seriously enough. According to a survey we conducted a couple of years ago, only 38% of organizations used MFA. What’s worrying is that according to some recent research, we can see that things haven’t really changed today.

Four misconceptions about Multifactor Authentication

  1. “My organization is too small to use MFA”

First misconception, most organizations think that MFA is only for large enterprises not for small-to-medium sized businesses (SMBs) and that’s wrong. MFA benefits all companies, regardless of size and should be part of any business’ security strategy. When you think about it, it’s only logic, whether you’re an SMB or a large enterprise, the data you’re trying to protect is as important and sensitive. MFA can be adapted, and doesn’t have to be complex or expensive!

  1. “I don’t have privileged users so I don’t need to use MFA”

The second misconception about MFA is to think that it should be used only to protect privileged users. Based on that, many organizations decide not to use it because they believe their users are not privileged so MFA seems too much. Well, let me tell you something: even if you don’t consider your users as having access to critical data, they still have access to enough data to harm your company. To illustrate this, think of a nurse selling information on a celebrity’s patient to a journalist. You can easily see the value of the data being inappropriately used and the harm that can be done.

Furthermore, it’s very rare for a hacker to start with a privileged account, most of the time they just start with any account that falls for phishing scams and move laterally within the network.

  1. “MFA can be bypassed so it’s not perfect”

That’s true, MFA is not perfect, but no security solution is. MFA is actually pretty close. According to last month’s warning issued by the FBI, recent attacks show that hackers were able to bypass MFA. They founds two main authenticator vulnerabilities: ‘Channel Jacking’, involving taking over the communication channel that is used for the authenticator ⁠and ‘Real-Time Phishing’, ⁠using a machine-in-the-middle that intercepts and replays authentication messages. However, expert agree to say that this type of attack requires high costs and effort. Habitually, cybercriminals who encounter MFA will rather switch to their next target than try to circumvent this measure. Certain vulnerabilities can be avoided by choosing MFA authenticators that do not rely upon SMS authentication. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines).

The FBI still recommends using MFA as it is highly effective and it’s a simple step to improve your security.

  1. “MFA is disruptive so it will impede users’ productivity”

This is also a misconception in the sense that it doesn’t have to be true. Let me explain. Every time your organization wants to implement a new technology, it comes with a challenge: how do I implement it without impeding my users? Obviously, if the solution is too disruptive, it won’t be adopted as quickly or not at all. This is the reason why you need to choose an MFA solution that offers flexibility. This solution needs to be customized to your own needs. To do so, contextual controls can be used in conjunction with MFA to further verify users’ claimed identity. Contextual factors don’t disrupt employees and can include time, location, session type, machine and number of simultaneous sessions.

Anyone can be victim of stolen credentials – privileged and non-privileged users, working in an SMB or a large enterprise. This is why MFA should be part of your security strategy to better protect your users’ access.

About the Author
François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues.

IS Decisions is a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. The company offers solutions for user-access control, file auditing, server and desktop reporting, and remote installations.

Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies; and save time and money for the IT department.