Multifactor: Why You Need It and Why It’s Not Enough

Multifactor authentication (MFA) has been around for quite a while and is one of the best ways to prevent account compromise. Microsoft estimated that 99.9% of the accounts that were breached did not have MFA enabled. Often this results in the user’s email being used to send spam or further phishing emails, but if the attacker gets lucky, can result in very expensive losses. If the bad actor has done their research, they can target high profile accounts using a number of techniques, like spear phishing or password spraying, to gain access. Often these targets are those in positions that can request and authorize a wire transfer and are least likely to have strong passwords, like the CEO or CFO. From there the attacker makes an urgent request from the legitimate email asking for a wire transfer from a junior staff member who can access those systems. With the pressure from what is actually the CFO’s email, the money is wired and not often caught in time for the banks to clawback the money.

The cost of not having MFA can be great, with many companies losing hundreds of thousands to millions of dollars with targeted breaches. While MFA can be a pain and slow down authentication, it will be even worse if the company goes bankrupt from a breach. It’s also extremely important to ensure that the most valuable targets use MFA, as they can also be the most resistant to it.

So, that’s it, right? We’re all secure now? Sadly, no.

MFA bypass attacks are on the rise and the techniques are only getting better. Sometimes this requires SIM Swapping, token theft, or just simply notification fatigue. Microsoft has been improving their customers’ ability to prevent MFA bypass attacks. They recommend shortening session and token lifetimes, but be warned this does impact user experience. Mitigations they suggest include:  

• Reducing the lifetime of the session, though this increases the number of times a user is forced to re-authenticate 

• Reducing the viable time of a token, which forces threat actors to increase the frequency of token theft attempts 

• Implementing “Conditional Access App Control” in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices

These changes are especially important for users with high-level privileges, such as Domain Admins, which should have a segregated cloud-only identity. These makes traversing environments more difficult since a compromise of cloud or on-prem systems will not allow the attacker to easily authenticate. In addition, these users should not have a mailbox attached to them.

User compromise can be extremely damaging to a company, especially if the full access of the user is not known, nor the data they have access to. That’s why companies are choosing Glassportal as their solution to really understand their exposure, via our context-driven vulnerability and risk management solution. Contact us for a demo: demo@glassportal.io!