November Tips

Multi-Factor Authentication – Stronger Security, but Training is Key

Back in the good old days, Multi-Factor Authentication (MFA) seemed like a silver bullet.  “If only we got MFA enabled on email/VPN/etc., we can stop worrying about that high-risk service!”  The industry jumped on board and now you can enable one-time passcodes or push authentication on just about everything from VPNs to email to your favorite online megaretailer.  The grateful townspeople thanked the InfoSec stranger as they dramatically rode off into the sunset…

Unfortunately, that last part didn’t happen.  While properly implemented MFA can be a significant obstacle to many attacks, it is no security panacea.  The biggest problem comes down to people.  We are all learning (and we see time and again during Penetration Tests) is that if we can trick a user into entering their credentials, we can probably get them to helpfully provide their one-time-passcode (OTP) code as well.  We have also had users that accept random push notifications as well, allowing logins from random sources.  This isn’t all the user’s fault – to a non-technical person, they are shown how to use the new magic token (or app) and how to log in with it.  They don’t always understand what it all means, they just need to get connected and do the job you are paying them to do.  That is where additional training comes in.

Users need to know what to look for, and who to report strange requests or push notifications to. That way, you can get a heads-up if something strange is going on.  This allows you to secure that person’s account before the bad guys can pull off their nefarious schemes.

Consider the following regarding MFA: