MFA, or multi-factor authentication (sometimes referred to as two-factor authentication or 2FA), is a security enhancement that requires the user to provide two pieces of evidence (credentials) when logging in to an account.

Credentials fall into these three categories:

1. Something you know (password or PIN)
2. Something you have (code or token)
3. Or something you are (something biometric – fingerprint or retina scan).

Credentials must come from two different categories in order for MFA or 2FA to be active, and enhance security. Entering two different passwords for example would not be considered multi-factor as they are both from the same category.

Consider the process of logging in to your bank account: If a user has turned on MFA, or if their bank turned it on for them, things will go a little differently than the traditional username-password scenario. Firstly, they will submit their username and password as usual. Then, as a second factor, a code will be sent to the user via an authenticator app, or via SMS. This code will need to be submitted before the user can access their account. Note that this code is often referred to as a one-time code, meaning that it can only be used once and will expire within a short time.

[MFA is…] One simple action you can take to prevent 99.9 percent of attacks on your accounts.

– Melanie Maynes, Senior Product Marketing Manager, Microsoft Security

Why Do I Need MFA?

Scale of the Problem

Microsoft has revealed that there are over 300 million fraudulent sign-in attempts to Azure cloud services every day. Cyberattacks are not slowing down, and it is worth noting that many attacks have been successful without the use of advanced technology or skills. In fact, there are numerous resources online that “teach” people how to breach security protocols in common systems without more than the ability to follow a few steps on a video or guide. Failing that, the rise of ransomware-as-a-service is providing the opportunity for users without skills to utilise those with skills to “hunt” on their behalf.

All it takes is one compromised credential or legacy application to cause a data breach, and these situations are almost never simple to resolve and will leave a legacy of their own.

Time and time again we see user passwords treated with minimal to no security. They are left unencrypted, reused again and again, perhaps even written down on a note pad, and left as the single source of defence to protect critical data from the outside world. This practice has resulted in billions of dollars stolen and enormous data breaches from which it takes organisations months, sometimes years, to recover.

Or worse, threat actors sell your legitimate credentials over and over, meaning your organisation never has time to recover and is constantly on the defensive.

Common Vulnerabilities

In a paper from the SANS Software Security Institute, the most common vulnerabilities include:

1. Business email compromise.

This is where an attacker gains access to a corporate email account through methods such as phishing or spoofing, and uses it to exploit the system and access financial accounts.

Accounts that are protected with only a password are easy targets. Recent examples of these types of attacks often start with an employee receiving an email from a trusted sender who has themselves been compromised. Often this sender is a supplier which the employee deals with regularly. The employee is encouraged to open an attachment which may be a regular and expected activity when receiving emails from the sender (e.g. Purchase Orders, Invoices etc). The attachment is a fraudulent replica of the Microsoft 365 Sign-In page and the employee enters their Office 365 password. At this point without MFA, their mailbox is compromised.

Once the phishing attack defeats the AntiSpam solution within a firewall or email client, MFA is the final, and most effective line of defence.

2. Legacy protocols.

This is because applications that use basic protocols, such as SMTP, were not designed to manage Multi-Factor Authentication (MFA). So even if MFA is required for most use cases, attackers will search for opportunities to use outdated browsers or email applications that are forced to use less secure protocols, and breach this way.

3. Password reuse.

Remembering passwords is a nightmare, which is why up to 73 percent of passwords are duplicates, and why password vaults have become so popular.

A common method of vulnerability attack is what is referred to as “password spray” or “credential stuffing” attacks. Essentially this refers to a process by which a malicious operator looks to access a user’s system by recycling common passwords in the hope that the user being targeted has used one in their accounts.

While this process is less sophisticated than other measures, it requires fewer skills and is incredibly successful.

What You Can Do to Protect Your Company

1. Start by creating a policy around security and in particular, password requirements. If the option exists to set minimal password requirements on your systems, do so. If not, an education process needs to be considered and should be a core element of any IT security strategy.
2. Ensure that legacy authentication systems are replaced, updated, or isolated so that they are no longer a risk.
3. Keep employees trained up and aware of phishing tactics, common vulnerabilities, and security measures so that they are not the weakness. The best laid plans are ineffective if the personnel do not understand the plans.

One of the quickest and easiest measures an organisation can take to circumvent the likelihood of a breach is to turn on MFA wherever possible. By providing an extra barrier and layer of security, MFA can block over 99.9 percent of account compromise attacks.

With MFA, knowing or cracking a lazy password isn’t enough, but it might be enough to turn a malicious operator away.