Is Multifactor Authentication a Magic Bullet for Cybersecurity?
Updated: Dec 31, 2022
If you are not familiar with or need a refresher on what MFA, SSO, and Strong Authentication methods are I've included a cheat sheet and the bottom of this article! The undeniable effectiveness of strong authentication methods Earlier this year I was having a conversation with a businessman and during the conversation he asked me what is the single-most important thing in cybersecurity. I gave him my answer to which he replied that he believed MFA is the answer.
I found this answer interesting because even Microsoft has reported that 99.9% of breaches can be blocked with MFA. The wording of the question was a bit ambiguous which allowed me to give a much broader answer, but I would consider MFA to be the correct answer to "What is the single most important tool currently used in cybersecurity?".
Azure Active Directory alone experiences 50 million password attacks daily, yet only 20% of users and 30% of global admins are using MFA or equivalent strong authentication methods (Statistics are based on data from Microsoft in August 2021.*). If strong authentication is so effective at mitigating risk then why is it not used by a much higher percent? If 99.9% of breaches can be blocked by using strong authentication should MFA be considered a magic bullet?
The answer to the first question that will jump to the mind of many security professionals will be "Because companies don't take security seriously and those that do tend to perceive good security to be only obtainable by large enterprises.". This is not an incorrect answer but it begs yet another question: "Why do companies feel this way?". Companies will typically budget for Accounting, Consultations, and Marketing to name a few, but why isn't there a budget for cybersecurity? A Society that is Cybersecurity Conscious Tech Horse Electronics believes that the best answer is culture and let me explain with an analogy. Speed limits were introduced in the early 20th century in Canada, but street racing and the such in many areas was accepted and tolerated up until a couple decades ago. Yes you can still find circles where this is acceptable but in general this is a frowned upon practice. It wasn't the speed limits that were most effective in stopping street racing, but rather society collectively agreeing that street racing is dangerous and not an acceptable practice. The hefty penalties we see today for street racing would not be sustainable if people did not want the penalties in place. Taking a zero security approach is like driving a Lamborghini everywhere at 220KM/H. Not only are you in danger of a hefty ticket, but you are putting yourself and others in serious danger. Taking some security measures but using the DIY approach is like trying to cross the American Frontier and considering yourself safe because you've used a rifle before. The good news is that society is becoming more and more security conscious. Laypeople are starting to make sure that the companies they entrust their private information with are taking cybersecurity seriously. Companies, likewise, are checking that their IT service providers are actually taking security seriously. As a result of this consciousness we are seeing compliance laws such as PIPEDA being enforced more strictly. The bad news is that having a security conscious culture in general is probably decades away. We have become as security conscious as we are now because we are learning from very bad security breaches. Many companies are not going to learn until they have suffered a security breach, but it does not have to be that way for your company. MFA and Magic Bullets Do you believe in magic? Most likely you don't and not to pick on anyone that does but the belief in magic generally has it's foundations in the believers ignorance of the science behind it. Magic bullets do not exist and MFA being a Magic Bullet metaphorically is a dangerous way of thinking. It was not that long ago that anti-virus software was considered the magic bullet for cybersecurity by many. Even today I meet people who believe anti-virus is all you need for security (According to a survey by security.org 77% of adult Americans are using anti-virus.). Traditional anti-virus software is still important, but its effectiveness has greatly diminished. The reasoning behind the diminishment of anti-virus' effectiveness is because of its widespread adoption. Viruses that affect living organisms adapt and evolve to overcome obstacles and so do the methods of hackers. Hackers are already finding weaknesses in MFA and the concern is that by the time strong authentication is commonplace its effectiveness will be greatly diminished. Although relatively rare, we are already seeing hackers getting around MFA*. Conclusion Taking cybersecurity seriously takes more than believing in magic bullets. I hope that a key takeaway from this article is that the best defense against cybercrime is cybersecurity awareness and not magic bullets! Enterprise grade security is no longer just available for large corporations. The implementation of this security does however require the company to be a willing participant. Creating a cybersecurity aware culture in your company will not only benefit society in general but it will also benefit your company directly by: • Putting you ahead of competitors with security conscience clients which is a growing demographic. • Being able to advertise that your company is taking security seriously. • Greatly diminishing the risk presented by employees that do not take cybersecurity seriously. • Greatly diminishing all other cybersecurity related risks. • Reducing the cost of cyber insurance. MFA, SSO, and Strong Authentication Cheat Sheet
Multifactor Authentication (MFA) • The most common implementations are a code sent to a mobile device, or a random code in a authentication app. • It is commonly confused with Two-Factor Authentication (2FA) which is a type of MFA. NordLayer has an excellent article comparing the two. Single Sign-On (SSO) • Uses the credentials from another source such as your Microsoft Tenant to sign into a different website/application. • Has both security pros and cons when compared to MFA. Strong Authentication • Both MFA and SSO when configured correctly are considered strong authentication methods by most. Notes: 1. Data statistics may appear to vary drastically from article to article. This is because statistics given will be based off different sets of data. 50 million password attacks daily is based off of data from Azure Active Directory in August 2021 only. 300 million attacks a day are claimed to be made daily against Microsoft's Identity system in general. 2. Multiple research papers are available that show the eventual shortcomings of strong authentication methods. Here is a recent example of MFA being bypassed.