The comedian Jerry Seinfeld once suggested an exciting idea for security. Why don’t you put six locks on your door, he asked, and then only lock three? That way, if someone picks the lock, they’ll keep locking the door!
This advice is tongue-in-cheek. But it does have some truth to it: if a lock is not enough, you can add some technical hurdles that make it much more difficult to break and enter. The notion is particularly relevant to cybersecurity. Digital security’s traditional lock, the password, is still a valuable part of the security process. But it’s not effective on its own.
Criminals can intercept passwords in several ways. They can dupe people into handing over their login information, most commonly through phishing e-mails. They can steal the info with key loggers or other spyware. They can even intercept the password traffic and try to decipher it.
“We can debate whether passwords are still valid or not,” says Brandon Meszaros, cybersecurity specialist at Digital Resilience Insight. “I believe they still add much value, especially if you use a strong password management system such as LastPass. But passwords are not enough on their own. They need a second level of protection such as multi-factor authentication, which is very effective against ransomware attacks, phishing, man-in-the-middle attacks, credential stuffing and brute-force attacks.”
Most people and companies do not use multi-factor authentication. According to a recent Microsoft report, only 28% of its clients enable such controls. Yet 99 % of breached accounts had no multi-factor protection.
If multi-factor authentication strengthens security discernibly, why aren’t people using it?
An MFA desert
Multi-factor authentication (MFA) and two-factor authentication (2FA) provide additional security for account logins. In a typical example, a person will log into a service with their username and password. They are then prompted to enter an additional code, spontaneously generated and sent to an e-mail address or phone number.
This code can also come from an authentication app or appear as a popup on a device. Banking apps use this concept, prompting customers to type in one-time Pins or approve prompts on their banking apps. Though MFA systems are not impervious, they make it much harder for criminals to breach an account.
“An adversary will need to know your username and password and also have access to whatever account or device receives your authentication code,” says Meszaros. “They can’t use old codes because these expire in a few minutes. They have to go the extra mile to get what they want. For example, Sim swaps happen so criminals can control the phone and approve sensitive transactions. That’s a way to avoid MFA safeguards. But it’s extra work, and in most cases it’s easier to find a softer target that doesn’t use MFA.”
Despite this added security, most businesses and people do not activate MFA measures. A Cyber Readiness Institute study released last year found that more than half of small businesses don’t have MFA protection or do not even know about it. Enterprises fare somewhat better.
It’s bizarre, since MFA adoption is one of the tenets of basic security hygiene and a best practice proposed by all major technology vendors. Google’s research found that “simply adding a recovery phone number to your Google account can block up to 100% of automated bots, 99% of bulk phishing attacks and 66% of targeted attacks that occurred during our investigation.”
Prompting MFA adoption
“People are reluctant to use MFA for several reasons, but they generally come down to either a lack of understanding or a belief that MFA hurts productivity,” says Meszaros. “The latter can be true, but it doesn’t have to be.”
He lists several barriers against MFA adoption:
- Lack of awareness: Business leaders and users don’t know about MFA or realise it’s a feature that is available.
- Implementation confusion: Companies don’t know how to add MFA or think it will be expensive.
- Productivity concerns: MFA is considered cumbersome and slows people down.
- Burden of a device: People don’t always have an authentication device with them.
- Too much MFA: Environments with many apps have overwhelming MFA requests.
- No policy support: Companies don’t have rules requiring MFA security.
Lack of awareness is hardly an excuse. Practically all banks use some form of MFA to authenticate sensitive interactions.
“We meet people who say, ‘It sounds great, but we can’t afford it’, not realising they probably already have it as a feature in their security systems. For example, Microsoft 365 (previously Office 365) has native MFA features.”
Some cite productivity concerns, noting that it stops people from logging in. This issue can overlap with another problem – too much MFA – yet that is simple to remedy.
“If you have many apps asking for their MFA, you can simplify things with single sign-on platforms and password management tools. For example, LastPass incorporates MFA features and delivers them through several channels. That also addresses the burden issue because you can set MFA to work through e-mail, SMS, fingerprint recognition or voice. You can even create a passwordless environment. Since users generally loathe passwords, MFA can improve security compliance.”
You can even create a passwordless environment. Since users generally loathe passwords, MFA can improve security compliance
Organisations should also consider creating rules that enforce MFA adoption. “Many companies just don’t make it a mandatory requirement. However, I’d caution companies not to be draconian and just make a clear and simple policy. Look at workflows and how people access apps, or else you can create a situation ripe for lower productivity or user insubordination.”
Multi-factor authentication is hugely effective. Some services already skip password authentication, instead sending a temporary code when someone attempts a login. While that won’t entirely stop cyberattacks, it deters most criminals and assists in them moving them onto softer targets.
“MFA is crucial,” says Meszaros. “Once used, never regretted.”
- Read more articles by Digital Resilience Insight on TechCentral
- This promoted content was paid for by the party concerned