It’s important that companies realize that without Multi-Factor Authentication (MFA), they are wide open to attacks if their employees fall for phishing scams or share passwords, which happens all the time.
There is no doubt that compromised credentials constitute one of the biggest security threats today. The challenge with compromised credentials is that the attacker is in possession of valid and legitimate corporate details. This means that it is very difficult to detect because all of the security tools you might have in place consider that the person who is logging in is precisely who they say they are.
Despite the risk, password security is still not taken seriously for many organizations.
A few years ago, we conducted research that revealed only 38% of organizations were using Multi-Factor Authentication. What’s more worrying is that most recent surveys show that things haven’t really changed since then.
You may also like: Five Preventable Breaches Make the Case for MFA Everywhere.
Four Misconceptions About MFA
“My Company Isn’t Big Enough to Use MFA”
A large majority of organizations just assume that MFA can only benefit big companies. That’s not true. Actually, MFA can benefit businesses of all sizes and should be part of any business’ security strategy. SMBs need to protect their data like any other company, and MFA isn’t necessarily complex, expensive, or frustrating.
“I Don’t Have Privileged Users so I Don’t Need MFA”
That’s not true either. MFA shouldn’t be used to only protect privileged users. Most employees are considered as ‘non-privileged’ because they don’t have access to important data. Well, you need to understand that those employees still have access to a lot of information that might end up harming your organization. Let’s prove this with an example: a nurse decides to sell a celebrity patient’s data to a journalist. I don’t need to explain the value of the data and the damage it can do.
Furthermore, cybercriminals usually start with an easy target, not with a privileged account. Once they get in, they move laterally within the network to find valuable information.
“Hackers Can Bypass MFA”
Like any other solution! Basically, no security solution is perfect, but MFA is close. The FBI just published a warning regarding attacks where MFA had been bypassed by hackers. Those attacks require significant cost and effort according to experts.
In most cases, when an attacker comes across MFA, he will likely move to an easier victim. Also, choosing MFA authenticators that don’t rely on SMS might help avoid some vulnerabilities. (The National Institute of Standards and Technology (NIST) discourages SMS and voice in its latest Digital Identity Guidelines.)
The FBI still agrees that MFA is very effective and represents one of the simplest steps to improve an organization’s security.
“I Don’t Want to Disrupt my Employee’s Productivity With MFA”
Well, I’ve got some good news, you don’t have to! It’s always the challenge when implementing a new solution, you want to least disrupt users. That’s why you need to look for an MFA solution that offers flexibility and can adapt to your needs. To do so, you can add contextual controls to MFA to further verify users’ claimed identity. Contextual factors don’t impede employee productivity and can include time, location, session type, machine, and the number of simultaneous sessions.