By François Amigorena, CEO and founder, IS Decisions

 Organizations without multi-factor authentication (MFA) are open to attack when their employees share passwords or fall for phishing scams.

Compromised credentials are considered to be one of the biggest threats to companies today. Why? Well, it’s quite simple to explain. The attacker is using valid (stolen but valid) credentials so why would your security tools flag anything unusual? For them, the person accessing your network is who they say they are.

This is a well-known threat among organizations and still many of them are not doing what needs to be done regarding password security. A few years ago, we surveyed 500 IT Security Managers in the US and UK and the results showed that only 38% of organizations use MFA to better secure corporate credentials. Sadly, some recent research shows that things haven’t really changed.

4 MFA myths that explain the reluctance in adopting MFA

Only large enterprises can benefit from MFA

Not true. This is a false idea. A company doesn’t need to be a certain size to use MFA and benefit from it. Actually, using MFA should be part of any business’s security strategy, regardless of size. Whether it’s an SMB or a large enterprise, the data to protect is as sensitive and the disruption as serious. Furthermore, MFA doesn’t have to be complex, costly or frustrating!

MFA is only useful to protect privileged users

Still not true. Many organizations think they don’t need MFA because they don’t have any privileged users. They find MFA too much for users who don’t have access to valuable data.  Well, guess what? Those “non-privileged” users have access to a lot of information which, if used inappropriately, can be harmful to the company. To illustrate this, we’ll take an example. Imagine a nurse who decides to sell a celebrity patient’s data to a journalist. I don’t think I need to explain how this shows the value of data and the possible harm if inappropriately used.

Furthermore, most hackers don’t start with a privileged account, they usually take advantage of any account that falls for phishing scams and then, they laterally move within the network until they find valuable data to exfiltrate.

MFA can be bypassed

This is true. A perfect security solution doesn’t exist yet. However, MFA is pretty close. As some of you might have heard, a warning was issued last month by the FBI on events where hackers were able to bypass MFA. There were two main authenticator vulnerabilities which were ‘Channel Jacking’, involving taking over the communication channel that is used for the authenticator ⁠and ‘Real-Time Phishing’, ⁠using a machine-in-the-middle that intercepts and replays authentication messages. According to experts, such attack types require considerable costs and effort. Most cyber criminals who encounter MFA prefer moving on to an easier victim than trying to bypass this measure. Simple precautions can also be taken to avoid certain vulnerabilities such as choosing MFA authenticators that do not rely upon SMS authentication. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines).

Despite the recent attacks, the FBI still affirms that MFA is effective and that it’s one of the easiest steps an organization can take to improve security.

MFA impedes users

This is not entirely true, or at least it doesn’t have to be. Every time you want to implement new technology, there is this same challenge: how can I implement it in a way that least disturbs my employees. If it disrupts employee’s productivity, adoption will be slowed down or stopped. Therefore flexibility is needed when using an MFA solution. Users don’t need to be prompted for MFA each time they log in. This is why the circumstances must be customized according to each company’s needs.

Being a victim of compromised credentials could happen to anyone – privileged or non-privileged users. Using MFA should be part of any business’s security strategy, regardless of size and can be one of the easiest ways to keep accounts secure.

About the Author

François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues.  IS Decisions being a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. The company offers solutions for user-access control, file auditing, server and desktop reporting, and remote installations. Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies, and save time and money for the IT department.