By Jay Martin, GreenPages Security Practice Lead
Multifactor authentication can protect today's hybrid workforces from cyberattacks designed to steal, destroy, or ransom a company's extremely valuable data.
We live in an always-connected, multi-device, and multi-platform world. You probably use a MacBook or PC laptop for work. When you're at the airport or watching your kid at a school event, you're periodically checking work emails from your smartphone. And you likely have documents and emails stored in the cloud so that your work is accessible across all these devices and platforms.
However, using standard "enter your username and password" login credentials for any cloud-based resources is a security nightmare for IT leaders. Literally billions of usernames and passwords have been stolen, were posted online, and are exploited by criminals every day. Many users still reuse their corporate usernames (typically their work email address) and passwords—or at least a variation of that password—on personal websites.
Just last year, we saw hackers steal millions of user credentials from cloud-first companies like Uber, Twitter, Marriott, Cloudflare, and Twilio. These credential harvesting campaigns are just the beginning for criminal hackers. Even if criminals don't have the latest password for the username, they'll follow up with a brute force attack to guess weak passwords, get into the compromised cloud account, and then move laterally inside the corporate network.
That's why every IT department should include a multifactor authentication (MFA) process to secure their employees' user accounts across all devices and platforms. Any login with MFA requires a user to present a combination of two or more unique credentials to verify their identity. So, even if one user credential becomes compromised—for example, the user's password is known or guessed by brute force—the criminal won't have the second authentication requirement and is blocked from completing the login.
What Is Multifactor Authentication?
The idea of multifactor authentication is not new. In the ancient times before Netflix (you see this written on wiki pages as "1996 B.N."), people watched movies in their homes on physical media rented from retail stores like Blockbuster. The movies on physical media were a costly capital expense for the retailer, so the retailer generated profit from many customers paying a few dollars to rent the physical media for a day or two. To protect the retailer against a customer from not returning that physical media, the rental store had customers provide two or more forms of identification to authenticate their accounts.
Exterior of last remaining Blockbuster Video location in Bend, OR, Coasterlover, 2018
Fast forward to our modern cloud-first world where an online account with multifactor authentication is more secure than just relying on an ID and password. That's because adding a second or third factor compensates for the weakness of that single authentication factor.
More Factors = More Security for Users
It is important to allow more than just one authentication factor for your users. This is so everyone in your organization has access to an alternate MFA option in case their primary option is unavailable. GreenPages deploys, configures, and manages multifactor authentication for customers. Two-factor authentication (2FA) is the most common deployment and combines what you know (your password) with what you have using a variety of industry-standard methods including:
Voice or text to a phone – These options allow for sending either an automated voice call or text message to the user's phone. The user can answer the voice call and press the # key on the phone keypad to approve their authentication. The text message has a verification code the user must type into the sign-in interface. "Call to phone" is a great backup method for notification or a verification code from a mobile app if the user cannot receive SMS texts on their phone.
Push notification through a mobile app – A push notification is sent to an authenticator app on a user's personal or corporate-owned device. The user views the notification and hits the "Approve" link to complete verification. Business IT leaders can set up push notifications using mobile apps such as Duo Mobile and Microsoft Authenticator for both Google Android and Apple iOS. However, if your users travel to China, note that push notifications on Android phones doesn't work the same way there as they do in the rest of the world. This is a perfect real-world example of why you should always have multiple authentication options for your users.
Hardware security keys – Based on the open standards created by the Fast Identity Online (FIDO) Alliance, these small devices store an encrypted private authentication key unique to a user that often includes a biometric component such as a fingerprint. Because hardware keys must be in the possession of the user to authorize the MFA challenge, and the user's login credentials are stored on the device rather than a server, this security model eliminates not only password theft but also phishing risks.
Even with MFA, You Can Still Get Hacked
Deploying multifactor authentication at your business does not guarantee an employee won't be the victim of a cyberattack. Sure, MFA helps make users more secure; nothing can protect your employees against 100% of all methods of compromise. Speaking of percentages, there's been a widely distributed statistic about the efficacy of MFA, claiming for years that it can stop 99.9% of attacks. But if you really think about it, that means every other possible type of attack—from phishing/malware, to insider threats, distributed denial of service (DDoS), and even cloud storage bucket misconfigurations—accounts for the 0.1% of successful attacks. Considering that most of the IT security professionals I've worked with estimate that unpatched software is the cause for the majority of successful cyberattacks, it's obvious that 99.9% statistic is...well, let's just say "outdated."
In early 2022, the Cybersecurity & Infrastructure Security Agency (CISA) warned that bad actors were exploiting "default MFA protocols and a known vulnerability" to automatically enroll devices for multifactor authentication on corporate networks. The attackers would use a combination of stolen user credentials, automated policies for enrollment of MFA devices, and unpatched software to effectively bypass multifactor authentication and gain full access to the victim's cloud storage and corporate email. To mitigate damage from these attacks, the best course of action is for an IT department to adopt and enforce zero trust access policies that include MFA as one part of a holistic security strategy.
Setting Up Multifactor Authentication Security at Your Business
The good news is that most providers of cloud-centric IT tools for business have multifactor authentication options for securing user accounts. For example, Microsoft 365 for Business subscribers get a free version of MFA in the cloud called "Azure multifactor authentication." It is a full featured and highly configurable MFA option but is not enabled for all Microsoft 365 users by default. Azure MFA is just one of the many options IT managers and cybersecurity professionals can use to implement multifactor authentication for users.
However, setting up MFA at scale is often difficult for overworked IT departments. The process can be painful for mid-sized organizations with 200, 500, or over 1,000 employees that don't have a dedicated cybersecurity expert on staff. For these organizations, using a managed service provider like GreenPages can help quickly and successfully configure and manage a multifactor authentication environment. In addition, our cybersecurity experts can work as an extension of your existing IT department to reduce the attack surfaces of your cloud assets, corporate network, and hybrid workforce while improving ease of use for end users.