A door without a lock does not provide a layer of security to an opportunistic thief. If the door is locked, you at least have one layer of security. Now, imagine that the door also has a card or thumbprint reader that must be used in conjunction with the key to unlock the door. Then, you have multiple layers of security. While a skilled thief or attacker could still conceivably get in, it would require more time, and they’d likely move on to an easier target.

While attacks on organizations have become more complex over the years, basic attacks—such as email phishing—that can be done by almost anyone are still rather effective ways of gaining access to an organization’s most sensitive and critical information.

Multi-factor authentication has evolved as the single most effective control to insulate an organization against remote attacks and when implemented correctly, can prevent most threat actors from easily gaining an initial foothold into your organization, even if credentials become compromised.

What is Multi-Factor Authentication?

Multi-factor authentication is the process of identifying users by validating two or more “factors,” or characteristics that are unique to that user.

Three different characteristics are often used as factors in the authentication process:

    1. something you know
    2. something you have
    3. something you are

Common implementations of two-factor authentication include the “something you know” factor (i.e. password) and “something you have” (i.e. one-time passcode sent to your smartphone or provided via a token).

While authentication is the process by which a computer validates the identity of a user (i.e. username and password), multi-factor authentication adds an additional layer of protection and security against one of the most common types of breach—compromised credentials. Without the added layer of security through multi-factor authentication, it is more difficult to truly verify that the user who accessed the system is who they say they are because passwords are still very easy to guess, crack, or steal.

Cybersecurity Sense Podcast: MFA is NOT a Silver Bullet

Cybersecurity Sense Podcast: MFA is NOT a Silver Bullet

In this episode of Cybersecurity Sense, Derek Rush joins Bill Dean to discuss multifactor authentication (MFA). Many organizations have turned to MFA to maintain data security. The goal is to go beyond passwords and make it more difficult for cyber criminals to attack. However, MFA isn’t a silver bullet against all security threats, and even though it is better to have it in place, it’s not foolproof. During this episode, our experts will discuss where MFA implementation breaks down, and what we recommend for clients to do differently.

How Multi-Factor Authentication Can Affect Your Environment

Multi-factor authentication, when connecting to services on the internet, is similar. It’s a simple matter for user credentials to become compromised through password and phishing attacks. While employees are required to undergo security awareness training, phishing threats are becoming more sophisticated and users may not fully understand the risks a network is exposed to if a hacker takes advantage of compromised credentials.

Instead of creating a strong passphrase (not a password) when prompted, they do the bare minimum. Threat actors know this and will take advantage of it when they can. And, if your network is connected to the internet, and you’re not using multi-factor authentication to log in, those threat actors can walk right through the front door.

The need for multi-factor authentication extends beyond your immediate network, too. If your organization uses the assistance of any third-party services, they should also use multi-factor authentication.

Here’s why:

You can enforce password complexity rules, but you can’t force people to use different passwords for all the third-party services used by your company. Now, imagine a threat actor has obtained a user’s password by guessing it or successfully phishing the user. They attempt to use the compromised credential to log in to your corporate network—where you have MFA installed. The first factor is successful, but when it comes to the second factor, the malicious user is unable to successfully log in.

They’ll likely take the compromised credential and try it on the third-party services commonly used by organizations until it works somewhere. So, while the threat actor might not directly gain access to your network, they could still gain access to sensitive data or business processes if you don’t have MFA installed on those third-party services.

Another scenario where you’ll want MFA is within segmented areas of your network containing highly sensitive data, such as a cardholder data environment (CDE). Even if multi-factor authentication is required to log in to your network, you would still add an extra layer of MFA to log in to the CDE—even though it’s not directly connected to the Internet.

Not only is this extra layer of security helpful for compliance, but it’s also important for protection of the most sensitive data held by your organization. Because, while multi-factor authentication is effective if executed correctly, it’s not infallible.

Consider this example:

You implement MFA for your network, teach employees to use it properly, and move on. You’ve got MFA installed and active for all corporate services (email, remote access, and third party services included) by redirecting users to a Single Sign On (SSO) authentication portal that requires MFA. So, you’re good to go, right?

Not exactly.

A threat actor in an undisclosed location is attempting to access the account of one of your new employees that may not have payed close attention during the new employee security awareness training. The employee keeps getting alerts on their phone from the MFA app they installed when they began working at the company.

The employee knows they’re not trying to log in, but they brush it off as a technical malfunction. The employee eventually gets tired of hearing their phone go off, so the user confirms the login request from the MFA app.

And, just like that, a threat actor has entered your network, even though you’ve got MFA installed.

There are no guarantees in information security. While you can set yourself up as best as possible, user error should always play a factor in your decision making and infrastructure. Are abundant successful logins but failed MFA attempts being alerted on within security monitoring processes?

The needs of networks can vary based on the size and type of organization. Determining how to best protect your assets and educate your employees can present unexpected and unique challenges. So, if you’re looking for some guidance on how to best secure your network or implement MFA, just let us know, and we’d be glad to help you get started today.

What are the Benefits of Multi-Factor Authentication?

Implementing multi-factor authentication across an organization’s Internet-facing assets is one of the most effective ways to prevent unauthorized access to sensitive data. Multi-factor authentication, when implemented correctly, can be used to safeguard often overlooked points of authentication, such as email and business applications. Without this extra layer of protection, an attacker can exploit an exposed email account or compromise a poorly-protected application to gain access to additional user information—or even worse, use the compromise as a “foothold” to escalate privileges and gain superuser access to the entire environment.

An often-overlooked benefit of multi-factor authentication is seen when threat actors attempt to authenticate to an account with multi-factor authentication enabled, and the targeted employee receives the second authentication factor. The employee, if trained properly, should recognize the compromise and report it to his or her security or IT department for resolution and further prevention.

How Can Multi-Factor Authentication Be Applied?

Multi-factor authentication can be used in any scenario (internal or external) where an additional layer of protection and security against compromised credentials is required. One of the most important applications of multi-factor authentication is its use for accessing and managing network environments remotely. Since accessing remote environments does not require an attacker to be present in order to gain access to a computing resource, it creates a layer of anonymity that an attacker can use to their advantage. Whenever talking about remote access, we also want to think about a secondary control like multi-factor authentication to ensure that whoever is accessing the remote resources is truly who they say they are. Multi-factor authentication provides this assurance in remote environments and is highly recommended for any remote access, and especially so for remote administration of cloud services.

With the increase of cyber-attacks on organizations, password strength cannot be relied on as the only layer of protection for an organization to preventing threat actors from gaining unauthorized access. Although not bullet-proof, multi-factor authentication is a proven way to lessen the likelihood of a data breach via a compromised password.

Adopt Two-Factor Authentication for System Admins and Remote Use

Bad guys are always looking for the path of least resistance, and one of the easiest ways to gain unauthorized access is by stealing credentials from approved users. That’s the idea behind phishing attacks, but it also represents a driving force in targeting user credentials in instances such as the 2016 Yahoo! breach, in which the account information and encrypted passwords of at least 500 million accounts were stolen.

Password/passphrase re-use by users is always an issue, and it’s certainly not uncommon for an employee to use his/her work credentials when creating accounts with third-party sites. Therefore, if third-party data breaches lead to the widespread public disclosure of hundreds of millions of username and password combinations, those could be used to successfully gain remote access to your environment by an unauthorized user.

Such unauthorized access likely would manifest as remote logins via VPN or access to online Web portals (especially email). Requiring a second authentication factor for remote access, such as a text sent to a user’s mobile phone, helps mitigate the chance that a compromised password or passphrase will grant an unauthorized user external access to the organization’s environment and/or resources. Many organizations already use two-factor authentication for VPN access, but online Web portals and email often are overlooked. The information that can be gained from such portals can be quite useful to malicious actors when performing recon, so consider such a risk to your environment when pondering whether to use two-factor for external portals and email access.

System administrators certainly are not immune to password/passphrase re-use issues. Due to their constant work with highly sensitive resources and information within the organization, system admins should be required to use two-factor authentication for both local and remote access. They wield great power within your organization, and, to borrow an old comic book trope, with great power comes great responsibility – and the need for two-factor authentication.

Our team at is ready to assist with a wide range of network defense services.

Want to learn more about how LBMC Information Security’s experts can help your organization prevent an attack through multi-factor authentication? Contact us today!