By Sumit Srivastava – Solution Engineering Manager – India & SAARC, CyberArk
Multi-factor authentication (MFA) is one of the most proven methods for ensuring security. MFA can help block up to 99.9% of account compromise attacks, reduce reliance on risky passwords, and simplify user authentication experiences using behavior-based analytics. Many security teams have taken their first step towards Zero Trust by implementing MFA. That said, MFA itself isn’t completely foolproof, and attackers have had success tricking users into giving up their second authentication key, and in some cases finding ways to circumvent MFA mechanisms altogether.
Seven questions to ask to strengthen your MFA system
It is common for hackers to use various digital and voice phishing techniques to steal credentials, then send repeated MFA push requests to a target’s mobile device to successfully trick employees and third-party vendors. Therefore, it is important to carefully consider how and where you deploy MFA.
As you go, review these seven questions, which can ensure that your organization’s MFA deployment is progressing in the right way:
Is your MFA system currently…
Using standards-based single sign-on (SSO)? Since credentials are inherently vulnerable to compromise, look for every opportunity to use less of them. Combining MFA with SSO eliminates user friction by reducing logins and swapping passwords for more intuitive methods like device certificates or biometrics. Whenever possible, use or create SSO tools that support standard protocols such as SAML or OpenID Connect.
Lock MFA records? When MFA is provisioned for a user, you need ways to verify that each user is who they say they are. Otherwise, attackers can steal passwords and try to register their own devices as authentication factors. To reduce risk, consider using an out-of-band process such as a phone call to verify if a recording request was made by the legitimate; only allow registration for one device per user; requiring a valid physical ID, such as a passport, as part of the user registration process.
Limit MFA prompts? When users are bombarded with requests, they may respond without thinking or out of exasperation. Setting thresholds for the number of MFA prompts a user can receive in a certain period can help combat user fatigue and make things harder for attackers.
Reinforced with Privileged Access Management (PAM) controls to protect all channels? This is essential to protect sensitive resources. With this approach, credentials to access a sensitive server, for example, are stored in a centralized vault. MFA authentication is required to connect to the vault and retrieve server credentials. Intelligent privileged controls provide session isolation so credentials are not exposed on the endpoint and monitor all credential usage regardless of channel.
Using analytics to balance security and productivity? You’re part of a rock star crew, but at some point you all need to sleep. Relying on AI and machine learning makes it possible to evaluate each access request based on the historical behavior of users, devices and network patterns in real time. If this context is not “normal”, the system can adapt controls such as requesting re-authentication or adjusting the level of access, and automatically detect risky activities earlier in the life cycle of the offensive. Analytics can help minimize end-user friction by putting barriers in place only when absolutely necessary based on a risk score.
Configured to log and monitor user activity in web applications? Otherwise, digging through the logs after an incident won’t do you any good. 80% of organizations report misuse or abuse of employee access to line-of-business applications, but nearly half have limited ability to view user logs and audit user activity. This makes it difficult to understand and control how employees and third-party partners use web applications and handle confidential data. Take steps to configure your system to log user actions in protected applications, create comprehensive and searchable audit trails, re-prompt users to re-authenticate during high-risk sessions (via code scan QR, for example). Also consider endpoint controls that prevent users from copying data or downloading files.
Supported by layered defense-in-depth controls? Even the best-configured MFA systems are not infallible. This is why the layering of identity security controls and practices, such as consistently applying least privilege and removing permanent access to sensitive infrastructure and cloud consoles, is essential. If one system fails, another stands ready to block attacks and protect sensitive assets.
These questions are just some of the recommended guidance that may prompt even more questions about how a unified identity security strategy – centered around intelligent privilege controls – can help organizations better defend against attacks, satisfy audits and compliance and enable digital business growth.
