Cyber Security and the Role of Multifactor Authentication in 2019

So what’s it all about anyway? 

Multifactor Authentication (“MFA”) has long been regarded as a best-practice for enhancing the security of an organization’s technology environment and user accounts, helping to protect data, applications, networks, and/or systems against unauthorized access, while bolstering organizational defenses against cyber-attacks.

For any folks out there who may not be intimately familiar with Multifactor Authentication, it can generally be described as a category of enhanced security controls, processes, and technologies, which add an additional “layer” of security assurance for the verification of a user’s identity when accessing a system, application, network, and/or data. 

Said another way, MFA goes above and beyond “user names and passwords,” and when implemented appropriately, it can significantly enhance security for users and organizations. This typically involves the use of hardware or software tokens (“hard tokens” or “soft tokens,” commonly deployed as one-time-passcode generators), certificates, biometrics, or a number of mobile phone-based technologies. 

An example of Multifactor Authentication would be an individual having to enter their user name and password (that’s a single factor), in addition to a randomly-generated one-time-passcode from a hard token device (that’s a second factor), in order to obtain access to a computer system, application, or network. 

Summarizing the example above, the “Multiple Factors” in this instance are 1) the individual’s user name and password combination, or “something you know,” and 2) the randomly-generated passcode from the user’s hard token, or “something you have.” 

Other forms of MFA may include biometrics, such as fingerprint readers or facial recognition technology, which would be classified as “something you are.” 

Why is MFA considered stronger?  In this example, it would not be possible to access the system with solely the individual’s user name and password. In addition to knowing the password, the individual would be required to have physical possession of the hard token device, from which the user would have to obtain a valid one-time-passcode. 

For those that are interested in learning more about the basics of MFA, there is a host of solid information on this topic available from the National Institute of Standards and Technology (“NIST”). 

MFA has been around for a long time

If memory serves me correctly, I believe that I first used MFA nearly two decades ago. I was issued a small hard token device, commonly referred to as a “fob” at the time, which had an LCD display that generated one-time-passcodes continuously. Thinking back, it had the appearance of a very cool "high-tech" keychain. 

I used MFA primarily for remote network access, and for access to certain technology platforms, as did countless other IT and security practitioners. I chuckle now as I recall that people used to ask me about the sleek little device from time to time when I would pull it out while working on my laptop. 

Back then, MFA was not nearly as common as it is today, and it was primarily seen in the most highly-regulated industries, in certain technology environments, or in other security-centric organizations.  

MFA right here, right now

It’s 2019, and Multifactor Authentication is more critical than ever. Given that October is National Cyber Security Awareness Month, I thought I would share a few thoughts on “the current state” of MFA in the broader business operating environment.   

With the proliferation of cyber-attacks that are focused on compromising user accounts (e.g. Account Takeover or “ATO” attacks), MFA is a security control that all organizations should strongly consider, particularly if they are concerned with threats, risks, and compliance objectives related to confidentiality, availability, and integrity of their data, applications, systems, and networks. 

Let’s not be shy about it: MFA isn’t just for large or heavily-regulated global organizations any longer. One could make the argument that it is difficult (maybe impossible) to build a “reasonable” organizational security program in 2019 without the thoughtful, risk-based adoption and implementation of MFA, particularly for organizations with significant technology footprints and dependencies. 

The collection, storage, processing, and transmission of any type of sensitive or regulated data (e.g. personally identifiable information, healthcare records, and/or payment information) increases the need for stronger security, including MFA, in addition to other substantive security controls.   

MFA under attack

Unfortunately, MFA is not necessarily a “perfect” security control by itself. In fact, there are two broad categories of cyber-attacks that have been utilized to circumvent certain Multifactor Authentication environments, which can be summarized as follows:

• Social Engineering Attacks:  In these scenarios, a malicious actor may utilize fairly unsophisticated or non-technical means to obtain user names, passwords, and MFA tokens. By exploiting weaknesses in the “human element” of the process, the attacker is able to effectively collect all of the information that they need to obtain unauthorized access to data, systems, networks, or applications. This can include a combination of attack techniques, including email phishing, vishing, or even physical theft of hard token devices. It is also worth noting that mobile phone SIM Swap attacks typically involve a Social Engineering component. 
• Technical Attacks: These scenarios generally involve a bit more technical sophistication on the part of the cyber-criminal, as they require the successful exploit of technical architecture and/or implementation vulnerabilities in an organization’s MFA system in order to obtain unauthorized access.  Examples of technical attacks include compromised web pages or login functions, man-in-the-middle attacks, session hijacking, and attacks that utilize malicious software and tools that are purpose-built to defeat MFA controls.   

Reasonable and defensible security, including MFA

In light of recent cyber-threat activity, including successful attacks on MFA and other seemingly-robust restricted access controls, let’s take a moment to remind ourselves and to drive awareness of a critical concept in the realm of cyber security, threat, and risk:  

Unfortunately, there is no “absolute” security. While Multifactor Authentication can be leveraged to significantly increase the relative strength of an organization’s overall security position against threats, organizations must remain vigilant in the continuous evaluation, testing, and enhancement of their security controls, including any MFA infrastructure and implementations.

Cyber threats are continuing to grow and evolve. Organizations cannot necessarily rely on yesterday’s security and countermeasures to be sufficient in the face of today’s cyber threats. 

There is a persistent need for continuous assessment, improvement, and evolution, if organizations wish to maintain and promote a business and technology operating environment that has reasonable security and resilience. 

These principles are relevant across the spectrum of organizations, industries, and cyber security domains, and most-certainly apply to any Multifactor Authentication implementation. A technical security control, including MFA, is really only as strong as its implementation and configuration. Said another way, not all MFA implementations provide the same level of security or assurance. There is a lot to consider, from a technology, process, and complexity standpoint. 

Where to from here? MFA, and beyond...

So now what? Is the “end” of the usefulness of Multifactor Authentication approaching? Not hardly. MFA is not going away, and the various MFA technologies, profiles, architectures, and platforms available to organizations will continue to evolve. 

There is also analysis in the global market indicating that MFA will continue to be rolled-out and implemented as part of organizational security at a fairly rapid rate.

Additionally, various regulators and compliance frameworks explicitly call-out Multifactor Authentication as a key control, including the New York Department of Financial Services Cyber Security Requirements, Defense Federal Acquisition Regulation Supplement (DFARS)/NIST 800-171 compliance for Federal contractors in the Defense industry, and the Payment Card Industry Data Security Standard (PCI DSS), among many others.   

Having said that, this is an important and opportune time for organizations to take a fresh, rigorous, and thorough look at their broader security, authentication, and restricted access strategies. Rather than solely focusing on MFA as a “cure-all” for cyber risks, organizations should make efforts to ensure that they are focusing on all aspects of security architecture, process, controls, and technology, while also contemplating compliance requirements, business leadership expectations, and human factors. 

Key next-steps for organizations to consider when contemplating cyber security and MFA include:

+      Risk-based Analysis of the Organization’s Systems, Applications, Data, and Networks: Does the organization know whether or not critical systems, applications, and/or data are reasonably protected today? Has the organization identified, analyzed, and considered the risks and threats it faces related to sensitive data, confidentiality, integrity, availability, and compliance requirements?

+       Integrated Framework of Authentication and Restricted Access Controls: Has the organization implemented appropriate preventative and detective controls, including MFA and other complementary measures? Is there sufficient ongoing testing, assessment, and monitoring of these controls?

+      Vulnerability Management: Does the organization have a holistic approach to identifying, analyzing, remediating, and tracking weaknesses and “holes” across the environment?

+      Security Awareness & Training: History has proven that far too often, the “human element” can reveal weaknesses in even the most sophisticated security technologies. What measures are in place to continuously influence human behavior related to cyber security, including consideration of common Social Engineering attacks? 

+      Incident Response and Resilience: Even if solid controls are in place, including MFA, security incidents, events, and breaches can occur.  Is the organization prepared for a cyber incident or breach? Have key processes, accountabilities, roles, responsibilities, partners, and tools been evaluated, defined, tested, and updated? Are other critical measures in place, including risk transference / cyber insurance?