Common MFA mistakes — and how to fix them

<p>MFA has long been one of the most effective security controls an organization can deploy. It’s inexpensive compared to many security technologies, relatively easy to implement and capable of stopping a large percentage of credential-based attacks.</p>
<p>It’s not a coincidence that nearly every security framework and cyber insurance policy recommends or requires <a href=”https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA”>MFA</a>. Even so, simply checking the MFA-enabled box doesn’t mean an organization is adequately protected from attack. In many breaches, the victimized organization had MFA in place, and the flaw usually wasn’t in the technology itself.</p>
<p>The trouble often results from how MFA was deployed, configured or managed over time. Like any security control, MFA is only as effective as its implementation.</p>
<p>Let’s look at some common ways MFA can go wrong.</p>
<section class=”section main-article-chapter” data-menu-title=”Mistake #1: Assuming MFA provides complete coverage”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Mistake #1: Assuming MFA provides complete coverage</h2>
<p><b>Problem: </b>One of the biggest mistakes organizations make is believing MFA is universally enforced. In reality, it’s common to find exceptions that have accumulated over time. Service accounts, legacy applications, VPN appliances, privileged administrator accounts, emergency access accounts and older authentication protocols are often excluded because they were difficult to migrate or were temporarily exempted during deployment. It’s also not uncommon for some high-level executives or other key stakeholders to be granted exemptions because they find MFA a nuisance.</p>
<p>Attackers don’t care whether 98% of a target’s users have MFA — they’ll find that 2%.</p>
<p><b>Solution: </b>Periodically review authentication policies and identify accounts, applications or protocols that bypass MFA requirements, and, at minimum, enable more rigorous monitoring on these accounts.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”Mistake #2: Relying on weak authentication factors”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Mistake #2: Relying on weak authentication factors</h2>
<p><b>Problem:</b> Not all MFA methods provide the same level of protection. SMS-based one-time codes remain common, but they’re increasingly vulnerable to <a href=”https://www.techtarget.com/whatis/definition/SIM-swap-attack-SIM-intercept-attack”>SIM swapping</a>, phishing and social engineering schemes. Email-based verification introduces many of the same weaknesses if the email account itself becomes compromised.</p>
<p><b>Solution:</b> Prioritize phishing-resistant methods whenever possible, such as <a target=”_blank” href=”https://fidoalliance.org/specifications/” rel=”noopener”>FIDO2 security keys</a>, <a href=”https://www.techtarget.com/whatis/definition/passkey”>passkeys</a>, <a href=”https://www.techtarget.com/searchenterprisedesktop/tip/How-to-set-up-Windows-Hello-for-Business-step-by-step”>Windows Hello for Business</a> or platform authenticators built into endpoint devices. These are much more difficult for attackers to outmaneuver.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”Mistake #3: Giving in to MFA fatigue”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Mistake #3: Giving in to MFA fatigue</h2>
<p><b>Problem:</b> Push notifications made MFA easier for users, but they also created an opportunity for attackers. In an <a href=”https://www.techtarget.com/searchsecurity/feature/How-to-solve-MFA-challenges-SIM-swapping-and-MFA-fatigue”>MFA fatigue attack</a>, malicious hackers bombard users with repeated approval requests, assuming that someone will eventually tap “Approve” simply to make the notifications stop. Combined with convincing social engineering, this technique successfully bypassed MFA in several <a target=”_blank” href=”https://www.cybersecuritydive.com/news/mfa-multi-factor-authentication-cisco-talos-cyber/719254/” rel=”noopener”>high-profile breaches in recent years</a>.</p>
<p><b>Solution:</b> Many modern authentication platforms have implemented number matching, location awareness and additional verification steps. These features can significantly reduce accidental approvals. Enable them wherever possible.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”Mistake #4: Neglecting session security”>
<h2 class=”section-title”>&l

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Search Security Resources and Information from TechTarget

Read the original article: