Multi-Factor Authentication- The Good, The Bad, and The Ugly
Multi-Factor Authentication (MFA) is a necessity and a great start towards proactively protecting your most valuable information and keeping it out of the hands of threat actors. However, just because you have MFA does not make you completely infallible. On October 20th, KnowBe4 hosted "Hacking Multi-factor Authentication," where their Data-Driven Defense Evangelist Roger Grimes spoke on lessons learned after testing 150 MFA products for his most recent book. Here's what we learned:
While MFA doesn't guarantee complete protection (no solution does), selecting the right MFA solution can go a long way towards securing access to your organization's data and preventing financial and reputational loss. Among the popular MFA options, Grimes highlighted that phone applications are particularly strong, especially those with push notifications. MFA vendors that share their threat modeling, use the secure development lifecycle, have open bug bounties, and use open and transparent standards should be regarded as stronger options over vendors that claim to be "unhackable" or have proprietary cryptography. Grimes recommends looking at vendors that use a standard like Fast Identity Online (FIDO2) for their authentication.
There is no "best" MFA solution. Each one has its own set of flaws that can allow it to be hacked. Additionally, overly complex solutions that are too strong can be negative as they will not gain traction within your organization due to the learning curve and the inconvenience of using them.
SMS-based authentication should be avoided if possible. Threat actors can use methods such as SIM Swap attacks to retrieve authentication codes delivered via SMS. NIST SP 800-63 also has recommended avoiding SMS-based authentication since 2017. Additionally, the rise of quantum computing in the near future will mean that traditional asymmetric encryption may not be as secure. Therefore, any MFA solution you consider must-have crypto-agility or use quantum-resistant cryptography.
Multi-Factor Authentication is necessary to add a layer of protection between your most sensitive data and threat actors but not all MFA is created equal. Get a complimentary consultation from one of our cyber professionals to find what steps are best for your company's size and budget and view the entire webinar from KnowBe4.