MFA alone isn’t enough: Protect both passwords and the logon

Any system secured behind just a username and password is asking for trouble. Research from Microsoft estimates that over 99% of account takeover attacks can be stopped if the end user has multi-factor authentication (MFA) enabled. MFA is pretty much universally recommended by cyber experts and regulations such as NIST, and there are no real downsides apart from a minor bit of user friction (providing the right choice of MFA is made!).

However, layered protection is key in cybersecurity. Relying solely on MFA and forgetting about password security can leave you vulnerable. Let’s find out why MFA alone is not enough.

Should you still be enabling MFA?

Of course! We would always recommend you protect Windows, VPN, and RDP logons with a reliable MFA solution like Specops Secure Access. It’s important not to put all your eggs in one basket, but that doesn’t take anything away from the many benefits of adding MFA to your organization’s logon processes:

1. Additional security layer: MFA adds an extra layer of security by requiring users to provide multiple forms of verification. This makes it much harder for unauthorized individuals to gain access, even if they have the user’s password. By making it more difficult for attackers to gain unauthorized access, MFA can significantly reduce the risk of data breaches;
2. Protection against phishing: MFA can help mitigate the risk of phishing attacks. Even if an attacker manages to trick a user into revealing their password, they would still need the second factor to gain access.
3. Compliance: Many industries have strict regulations and compliance requirements for data security. Implementing MFA can help organizations meet these standards and avoid potential fines or legal issues.
4. Improved user confidence: Knowing that their data and accounts are better protected can increase user confidence and trust in the organization. This is particularly important for customer-facing applications.
5. Cost savings: While there may be initial costs associated with implementing MFA, the long-term savings from preventing security breaches and the associated costs (such as legal fees, customer notifications, and reputational damage) can be substantial.
6. Flexibility and usability: Modern MFA solutions are designed to be user-friendly, often using methods like push notifications, SMS codes, or biometric verification. You can also set up easy-to-use hardware tokens for when mobile phones can’t be accessed. This ensures that security does not come at the cost of usability.

Consider adding MFA if you haven’t already

If you haven’t enabled MFA already, it’s worth asking the following questions and considering how the worst case scenarios could play out:

• Do you have systems that can be accessed with just a password?
• What data could someone access by stealing one of your end users’ laptops that only relies on a PIN or password for logon?
• What data is stored locally on your workstations/laptops/servers e.g. cached files, cached emails, MFA tokens?

If you want to add an effective MFA layer to your Windows logon, RDP, RADIUS, and VPN authentications, get in touch today and give Specops Secure Access a try.

Why MFA alone shouldn’t be the only line of defense

While MFA is a powerful security measure, it’s not advisable to completely disregard passwords and rely solely on a passwordless factor like PIN or a biometric factor. Here’s why:

1. Layered security: Security is most effective when it is layered – but one weak layer (like a weak, easily-guessed password) can let the rest down. Passwords and MFA work together to provide a robust defense. If one layer fails, the other can still provide protection.
2. Initial access: Passwords are typically the first line of defense. They are required to initiate the MFA process. Without a strong password, an attacker might bypass the initial login step more easily and only need to think about MFA.
3. User Education: Users need to be educated about the importance of strong passwords and good password hygiene. Relying solely on MFA might lead to complacency, where users might use weak or easily guessable passwords.
4. Backup and recovery: What’s the recovery procedure you have in place, in case MFA is lost? In case of MFA failure (e.g., a user loses their phone or the MFA device is compromised), having a strong password can serve as a backup to regain access to the account.
5. MFA vulnerabilities: MFA is not infallible. There are known vulnerabilities, such as SIM swapping attacks for SMS-based MFA, or social engineering attacks that can trick users into approving MFA requests.

Could your 2FA/MFA be compromised?

There are several ways MFA can be breached – we’ll cover the most common here.

MFA fatigue attacks

MFA fatigue attacks (also known as MFA prompt bombing) is when attackers flood a user with multiple MFA prompts, causing them to approve a login request out of frustration or to stop the bombardment. These attacks exploit the user’s desire to stop the constant notifications, even if it means compromising their account.

Social engineering at the helpdesk

Social engineering at helpdesks can exploit MFA by tricking support staff into bypassing MFA requirements or resetting user credentials. Attackers often use pretexting, where they impersonate legitimate users in distress, to gain unauthorized access. This happened in a recent attack on MGM Resorts.

Social engineering the end user

Hackers can exploit MFA by tricking users into revealing their MFA codes or by using phishing techniques to intercept the codes. Once the attacker has the MFA code, they can use it to gain unauthorized access to the user’s account.

Session hijacking

These attacks exploit vulnerabilities in web session management to gain access to a legitimate user’s active website or application session and impersonate them. The attacker intercepts or guesses the session identifier (a unique token assigned to a user upon login) and assumes the user’s identity within the system. 

Exploiting single-sign on

Attackers can bypass MFA by exploiting Single Sign-On (SSO) systems, where gaining access to one account grants access to multiple services. They might use techniques like cookie theft or session hijacking to bypass MFA requirements.

Targeting backup authentication methods

Attackers can exploit MFA by targeting weaker backup authentication methods, such as security questions or recovery codes, which are often less secure. By gaining access through these methods, they can bypass the primary MFA mechanisms. Sometimes the password is the fallback when MFA fails, so it’s still important to have a good password policy and look for MFA solutions that provide flexibility.

Protect the password and the logon

In summary, while MFA is a critical component of a strong security strategy, it should be used in conjunction with strong passwords and other security practices to provide comprehensive protection.

Strong password security and MFA protection for the logon process are crucial because they provide multiple layers of defense against unauthorized access. A strong password makes it harder for attackers to guess or crack, while MFA adds an additional verification step, significantly reducing the risk of account compromise even if the password is stolen. Together, they offer robust protection against a wide range of cyber threats.

Using Specops Password Policy in tandem with MFA allows you to continuously block over 4 billion unique compromised passwords from your Active Directory. Admins can block end users from creating weak passwords and continuously scan for passwords that have become compromised through data breaches or password reuse. Interested to see how it can combine with Specops Secure Access MFA for protection of both your passwords and logons? Get in touch for a trial.