FBI issues a new cyber attack warning writes Zak Doffman for Forbes Media, October 7, 2019. Until now Multi-Factor Authentication has been considered the top defense against similar cyber attacks. Even Microsoft states that they block 99% of enterprise account hacks. To learn more about this, we asked Truesec's identity guru Hasain Alshakarti to clarify a few things.
Hasain, you are always up do date with the latest security issues. Is Multi-Factor Authentication (MFA) really outdated?
No, attackers will try to find an easier path to the target when the authentication method is hardened with MFA. They will effectively bypass the hardened attack surface by targeting the user using other methods.
What's your opinion about MFA? Pros and cons?
MFA effectively prevents a large number of password-related attacks making it virtually impossible to abuse user credentials without user interaction. Phishing, spearphishing, keyloggers, credential stuffing, brute force, and other attacks get more difficult to impossible to perform as MFA adds additional layers of security.
The main difficulties with MFA are the need for yet another device, application, or other sensors as well as the added cost of these components. Furthermore, organizations with multiple types of users will most often be forced to use a combination of methods to provide MFA to different types of users.
When evaluating the user experience we often find users describing MFA as bothersome and unfriendly due to the added number of factors required to perform and authentication.
What's your key taking from the FBI's warning?
MFA is just one layer of security and we need to work with different layers to provide prevention against highly sophisticated and persistent cyber-attacks. Another important action is to secure all possible access methods with MFA or equivalent protections.
How do you work with clients to implement MFAs or similar identity solutions?
Different needs require different solutions and we know that using risk detection to trigger additional MFA factors is a very effective method to make MFA less bothersome. The dynamic model helps to educate the users to understand risky behaviors as well as make MFA more friendly with a high level of security and ability to detect attacks. It's important to understand the requirements together with our clients and evaluate the different options to find the best working combinations of security and user-friendliness.