Protecting Your Multi-Factor Authentication Deployment

MFA is an excellent technology, but it is not bulletproof and requires some protection of its own to be completely effective.

As organizations migrate services to the cloud and relying heavily on the remote access of their employees, multi-factor authentication (MFA) continues to grow in popularity for programs that either hadn't previously deployed the technology or did not have it present in front of all remote access entry points. MFA is an excellent security technology that inserts an added layer of protection in the authentication process. With targeted phishing emails continuing to be one of the greatest attack methods of cyber-criminals, MFA has become a critical safeguard to protect compromised credentials.

MFA is an excellent technology, but it is not bulletproof and requires some protection of its own to be completely effective. Below are three considerations organizations should apply to their MFA technology deployment and management process.

Enrollment

The assignment of MFA across all user accounts should be the goal, but in order to deploy this technology successfully there must be an effective enrollment process. Simply assigning this technology to accounts and notifying employees might net you 70-85% coverage, but many employees may never login from an external network and get prompted for enrollment. In these cases stolen credentials still lead to account compromise, as cyber-criminals will simply enroll their own device, email, etc. during the first login attempt. Develop an enrollment process that requires employees to validate their identity before MFA is configured.

Education

The use of MFA may seem obvious, but employees still need to be educated on the technology, how it works, and how to interact with it. People are inundated with technology alerts and notifications these days. For many, an alert from your MFA application may just be another notification they are eager to silence. Unfortunately, the result is many people accepting MFA push requests on their cell phones even when it's not them attempting to login. Educate your employees to help avoid this scenario, or remove pushes entirely and limit MFA to SMS, which also has it's own level of risk. It is not safe to assume that all employees will decline and/or report MFA push requests that were not initiated by them, leaving you with an interesting and difficult challenge.

Testing

Finally, test your employees and their use of the MFA technology. Similar to simulated phishing campaigns, it's possible to configure a small program that will send push notifications to your employees to see how many will ignore, accept, or decline it them. This is a great exercise to gauge how aware your employees are and what the rate of reported fraudulent MFA requests looks like to your help desk or SOC. It's also an added opportunity to educate employee that fail this simulation and potentially considering the removal of the push feature on their devices in the event they continue to fail testing exercises.

Multi-factor authentication technology is a critical safeguard in modern security programs, but don't "set it and forget it". It's a technology that requires time, effort, testing, and education in order to make most effective.

For more information about the deployment, education, or testing of MFA technology, please contact info@advosec.com

#MFA #risk #multifactorauthentication #awareness #education #cybercrime