The MFA Checkbox Has Moved: What to Know

Ahhh the good old days…remember when you could buy some tokens, enable multi-factor authentication (MFA) for your VPN and Citrix users and satisfy your Compliance team that you ticked the box on authentication?

That MFA checkbox has moved.

Expanded Attack Surface

Why? A number of factors have contributed to this over the years, proliferation of cell coverage and high-speed WiFi, increased use of web based apps and mobile devices, and of course, remote work. We no longer have the additional assurance that came from having to physically be in an office, badge in and be on the corporate network. Now most of us can and do work from just about anywhere at any time, on networks and devices with varying degrees of security. Zero Trust aims to address this, and starts with the baseline that no user, device or network is inherently trusted, and must be validated before any access is provided.

Sophisticated, Automated Hacking Tools

Attacks have become more sophisticated and, critically, more automated — why expend resources to crack a password when you can simply text a user a phishing link and they give up their credentials freely? These types of attack are simple to execute with tools that are cheap and readily available. Moreover, they can be carried out at scale and only a small percent need to succeed in order to make a profit. Existing MFA tools that rely on methods such as SMS, OTP or push notifications are subject to SIM swap and low tech social engineering attacks (I had a personal experience with a SIM swap attack, it wasn't hard for the attacker to do). The recent FBI warning about a popular legacy MFA tool illustrates the point all too clearly. 

This is how it was recently described to me by a security executive: "It's a game of whack-a-mole. We moved from OTP to push notifications, now because users get annoyed and just accept the push, opening us up to attack, we're going backwards to OTP again."

Even attacks which previously required more human intervention such as voice calls can now be more automated using bots, increasing the scale and decreasing the cost of these attacks. 

Phishing-Resistant MFA

Back to the MFA checkbox, the recent OMB guidance on the Executive Order on Cybersecurity mandates Federal agencies move to a Zero Trust model, and specific to authentication, stipulates "phishing-resistant MFA." This is notable in that it recognizes legacy MFA methods mentioned above are insufficient going forward and must be discontinued. The EO states that any public facing agency must offer phishing-resistant MFA within one year, by January 2023, and encourages passwordless MFA as the primary means of authentication.

This mandate offers a unique opportunity, because in addition to being phishing-resistant, passwordless MFA provides the benefit of a better user experience for login. Haven't we all been locked out of a service because we forgot the password? Does anyone really enjoy using passwords?

That said, passwords have a tail as long as the mainframes they were created to protect 60 years ago, so resistance to change and inertia of doing nothing can be real impediments. CISOs would be well advised not to discount these aspects when planning a move to passwordless MFA, and to work with a partner who has experience with communication, training and a proven track record of success.

Zero Trust is the why, phishing-resistant MFA is the what, passwordless is the how; you can guess the when, right?To learn how you can get phishing-resistant passwordless MFA now, contact our team.