Why MFA Alone Isn’t Enough for True Cybersecurity
Multi-factor authentication (MFA) was once a foreign terminology, but today, with the myriad of hacks and data breaches dominating headlines, it’s fair to say that most individuals now see MFA as a no-brainer – for now.
When thinking about MFA, both companies and consumers alike consider it to be a safer, more secure option. And while that isn’t necessarily untrue (as it is safer than single-factor authentication), it doesn’t bypass the increasingly large password issue developing across digital mediums. In fact, despite widespread MFA adoption, account takeover fraud generated a $3.3 billion loss in 2020.
Ever since the “password” was invented in the 1960s, it has been a topic of contention. The intent, always positive; but the efficacy, an ongoing debate – especially with the pace at which technology is evolving.
As it stands today, there are three different kinds of MFA, the first being One-Time Passwords (OTP). OTP are a string of digits that are provided to a user via an app after they have entered a username and password; however, OTP are still based on passwords (it’s in the name, after all!) and are therefore subject to MFA phishing, mobile malware and keyloggers.
The second kind of MFA is SMS two-factor authentication (the most common OTP delivery method today), wherein OTP are delivered to a user’s smartphone via text. Again, due to error or malicious activity, OTP can be delivered to the wrong mobile number or a stolen mobile phone or intercepted via SS7 network attacks. In fact, the National Institute of Standards and Technology (NIST) stopped recommending the use of SMS as a strong second factor back in 2016!
And finally, PUSH authentication is another mobile-centric authentication method whereby the service provider sends the user a notification to their mobile phone. The user then has to tap the screen to get access to the account. And while PUSH authentication can be used as part of a passwordless system if the solution is built upon PKI or certificate-based authentication, most PUSH authentication is an MFA mode layered on top of additional shared secrets, including (you guessed it) a password.
Unfortunately, many hackers have learned how to bypass traditional MFA, including intercepting, phishing and spoofing SMS text messages; many also engage in SIM swapping, wherein a hacker impersonates the target to dupe a wireless carrier employee into porting the phone number associated with their SIM card to a new (malicious) device. Moreover, there also new tools – e.g., Modlishka – that automate phishing attacks that bypass MFA. It couldn’t be easier for hackers nowadays.
So, the question is, how do we move away from passwords yet still ensure enterprise level security?
Every individual today is experiencing a certain level of MFA fatigue, then add the fact that every business, big and small, is maneuvering through the complex authentication landscape, while now managing the IT challenges of remote work. In fact, enterprise IT helpdesk departments spend more than 30% of their time helping users with password and access issues, which prevents them from making progress on innovative projects that ultimately move the business forward. So, despite being mandated, MFA still carries a level of resistance.
The solution? Marrying MFA with passwordless authentication. In short, combining MFA technology with a biometric login (think facial recognition). This concept removes any type of shared secret and eliminates the transmission or storing of credentials, thus removing the “man in the middle” and reducing the attack surface. By simply using a smartphone, security key, or platform authenticator, users can securely log into a workstation and corporate domain, without ever typing in a password.
Passwordless authentication removes user frustration while ensuring the highest level of password security – by eliminating the password altogether. Leading companies such as Aetna/CVS Health, most major banks in the United States, airlines and insurance companies have all adopted passwordless technologies.
Moving forward, passwordless authentication will certainly be the norm, particularly since the Federal Financial Institutions Examination Council (FFIEC) recently issued a guidance on effective authentication and access risk management practices for the various parties that access financial institution services and systems. Microsoft, in particular, is taking the lead in incorporating this technology and making it non-negotiable for entities with data to secure (or, all entities).
In fact, a Digital Defense Report recently distributed by Microsoft shows continued attacks from other nation-states that weren’t necessarily via exploitations of software, but rather well-known techniques such as password spray and phishing. This just highlights how vulnerable most organizations are to attacks, and how widespread the antiquated use of passwords is amongst the population.
With the number of digital touchpoints increasing for companies across the board, MFA alone – and MFA rooted in password security – will continue to become less and less secure for both brands and consumers. With countless pieces of data and dollars to lose, neither party can afford to put their information at risk. Under the FFIEC’s guidance, and with Microsoft at forefront, Passwordless MFA is the way of the future.