We live in an always-connected, multi-device, and multi-platform world. Some of us might use a MacBook or PC laptop for work. While at the airport or watching our kid’s soccer game we check work emails from a smartphone. And most everyone has documents stored in the cloud so that work is accessible across all these devices and platforms.
However, using standard "enter your username and password" login credentials for any cloud-based resources is a security nightmare for IT teams. Literally billions of usernames and passwords have been stolen, were posted online and are exploited by criminals every day. Many users still reuse their corporate usernames (typically their work email address) and passwords — or at least a variation of that password — on personal websites.
Just last year, hackers stole millions of user credentials from cloud-first companies like Uber, Twitter, Marriott, Cloudflare and Twilio. These credential harvesting campaigns are just the beginning for bad actors. Even if criminals don't have the latest password for the username, they'll follow up with a brute force attack to guess weak passwords, get into the compromised cloud account, and then move laterally inside the corporate network.
That's why every IT department should apply a multifactor authentication (MFA) process to secure their employees' user accounts across all devices and platforms. Any login with MFA requires a user to present a combination of two or more unique credentials to verify their identity. So, even if one user credential becomes compromised — for example, the user's password is known or guessed by brute force — the criminal won't have the second authentication requirement and is blocked from completing the login.
What is multifactor authentication?
MFA is, of course, not new. Once upon a time, people watched movies in their homes on physical media rented from retail stores. The movies on physical media were a costly capital expense for the retailer, so the retailer generated profit from many customers paying a few dollars to rent the physical media for a day or two. To protect the retailer against a customer from not returning that physical media, the rental store had customers provide two or more forms of identification to authenticate their accounts.
Fast forward to our modern cloud-first world where an online account with multifactor authentication is more secure than just relying on an ID and password. That's because adding a second or third factor compensates for the weakness of that single authentication factor.
More factors equals more security for users
It is critical to allow more than just one authentication factor for your users. This is so everyone in an organization has access to an alternate MFA option in case their primary option is unavailable. Two-factor authentication (2FA) is the most common deployment and combines what you know (your password) with what you have using a variety of industry-standard methods including:
Voice or text to a phone — These options allow for sending either an automated voice call or text message to the user's phone. The user can answer the voice call and press the # key on the phone keypad to approve their authentication. The text message has a verification code the user must type into the sign-in interface. "Call to phone" is a great backup method for notification or a verification code from a mobile app if the user cannot receive SMS.
Push notification through a mobile app — A push notification is sent to an authenticator app on a user's personal or corporate-owned device. The user views the notification and hits the "Approve" link to complete verification. Business IT leaders can set up push notifications using mobile apps such as Duo Mobile and Microsoft Authenticator for both Google Android and Apple iOS. However, if some travels to China, push notifications on Android phones doesn't work the same way there as they do in the rest of the world. This is a perfect real-world example of why multiple authentication options are needed
Hardware security keys — Based on the open standards created by the Fast Identity Online (FIDO) Alliance, these small devices store an encrypted private authentication key unique to a user that often includes a biometric component such as a fingerprint. Because hardware keys must be in the possession of the user to authorize the MFA challenge and the user's login credentials are stored on the device rather than a server, this security model eliminates not only password theft but also phishing risks.
Even with MFA, you can still get hacked
Deploying MFA in an organization does not guarantee an employee won't be the victim of a cyberattack. MFA helps make users more secure but nothing can protect employees against 100% of all methods of compromise. Speaking of percentages, there's been a widely distributed statistic about the efficacy of MFA, claiming for years that it can stop 99.9% of attacks. But that means every other possible type of attack — from phishing/malware, to insider threats, distributed denial of service (DDoS), and even cloud storage bucket misconfigurations — accounts for the 0.1% of successful attacks. Considering that unpatched software is the cause for the majority of successful cyberattacks, it's obvious that 99.9% statistic is... misleading.
In early 2022, the Cybersecurity & Infrastructure Security Agency (CISA) warned that bad actors were exploiting "default MFA protocols and a known vulnerability" to automatically enroll devices for multifactor authentication on corporate networks. The attackers would use a combination of stolen user credentials, automated policies for enrollment of MFA devices and unpatched software to effectively bypass multifactor authentication and gain full access to the victim's cloud storage and corporate email. To mitigate damage from these attacks, the best course of action is for an IT department to adopt and enforce zero trust access policies that include MFA as one part of a holistic security strategy.
Setting up multifactor authentication security at your business
The good news is that most providers of cloud-centric IT tools for business have multifactor authentication options for securing user accounts. For example, Microsoft 365 for Business subscribers get a free version of MFA in the cloud called "Azure multifactor authentication." It is a full featured and highly configurable MFA option but is not enabled for all Microsoft 365 users by default. Azure MFA is just one of the many options IT managers and cybersecurity professionals can use to implement multifactor authentication for users.