Recently, we were asked by a client what “MFA is the best for a SMB?” We liked that question and thought others would benefit, so we decided to add it to our list of blog topics. Before writing that blog however, we decided we first needed a quick review of what multi-factor authentication (MFA) is and why is MFA so important. So that’s what we will cover here, and be on the lookout for the upcoming blog on choosing the right one for a small to midsize business (SMB).
What is MFA?
Before you can understand why MFA is so important, it is important to make sure you understand what MFA is. MFA is using a combination of different methods to prove you are who you say you are, when authenticating to an application or system. In order to be considered MFA, it must combine at least two of the following:
- Something You Know – For example, a password is something you know. Other options could be a PIN number, answers to secret questions, etc.
- Something You Have – Traditionally, this was a small device that would sit on your key-chain and rotate numbers every 30 seconds or a smart card. However, today this has expanded to include your cellphone, making it much easier to use as you don’t have to remember a second device.
- Something You Are – This can be your fingerprint, FaceID, Iris Scan, or even behavioral analytics (your computer can recognize your typing pattern for example).
One common mistake we find is customer’s combining two of the same factor and counting that as MFA. For example, a password and answering a security question. These are both something you know, and therefore cannot be considered MFA. Sure, multiple forms of the same factor can still be an improvement in some scenarios, but you won’t receive the same security benefits as you would with MFA.
Why is MFA so important?
MFA is easily one of our biggest recommendations for any organization to implement, SMBs included. Although nothing in security is a “silver bullet,” and there are ways to bypass MFA, it will make your security posture exponentially better. To better explain this, let me tell you how we break into the majority of companies we conduct external penetration tests on.
When we conduct an external penetration test, we will conduct open source reconnaissance in order to collect a list of employees. Usually this is as simple as browsing to LinkedIn and searching for your organization. Next, we will determine your username format (hint, it’s usually the same as your email format). Using this collected list of usernames, we will proceed to conduct a password spraying attack against your VPN, OWA, or other login interface in scope. A password spraying attack will take a common password (Summer2018, Company123, Password1), and try it against a long list of usernames. The advantage of a password spraying attack is that since I am only doing one password attempt per user, I can avoid account lockouts and for the most part, detection. This leads to us gaining access to the internal network or an employees email in over 60% of the external penetration tests we perform. The other 40% have MFA in place (usually). OK, some have really good password policies or no login screens in-scope, but most have MFA.
The truth of the matter is, employees, regardless of how much awareness training they get or what password policies exist, suck at choosing strong passwords. MFA reduces the risk associated with that reality. With MFA in place, even if I can guess a password, I will still need to have that second factor (something you have or something you are).
Hopefully this blog was helpful to understand what MFA is and why MFA is so important. Although we only went over one attack scenario that shows why MFA is so important, truth be told, there are many other ways we can steal passwords and use them to gain access to organizations. Most of these scenarios would be stopped if MFA was properly in place. Have any questions or feedback? Let us know in the comments below.