The password manager provider LastPass recently conducted a study, which revealed that only 57% of companies make use of multi-factor authentication, despite the fact that it is a very good way to prevent the use of stolen credentials to access email accounts and company networks.
With multi-factor authentication, a second factor to verify users is required aside from a password. In case of stolen credentials, through a phishing attack, for instance, the attacker cannot use the information to access an account except if the attacker can also provide another authentication factor, such as a one-time PIN sent as SMS to a cellular phone or a token.
The study result, which showed a 12% increase in the use of multi-factor authentication since last year, was based on the participation of 47,000 businesses. Based on the report, of all the businesses that enforced multi-factor authentication, 95% utilized a software-based system like a mobile application; 4% use a hardware-based system, and 1% used biometrics like a fingerprint scan. Software-based systems are typically the least expensive to use which makes up the biggest percentage of companies that utilize this MFA method.
The danger from phishing may be decreased by means of anti-phishing solutions like spam filters and vulnerability to phishing attacks may be minimized by giving users training on security awareness and doing phishing simulation exercises. MFA must also be enforced as an extra security layer to secure against phishing attacks.
Microsoft’s Director of Identity Security, Alex Weinert, stated that companies implementing multi-factor authentication are 99.9% less at risk compared to companies that not using MFA. Considering the fact that MFA is effective for stopping data breaches, Microsoft’s statistics is surprising in that they show less than 10% of businesses are using MFA on their accounts.
Although MFA can definitely decrease the threat of a data breach, it could give businesses a wrong sense of security. Multi-factor authentication isn’t fail-proof. It must not be viewed as a replacement for end-user training relating to phishing attacks and social engineering.
It is possible to bypass knowledge-based MFA authentication by acquiring data through social engineering scams and considering that MFA tokens are kept someplace, they can be compromised. Attackers can use the stolen tokens to access information. MFA tokens could also be altered by means of strategies like SIM swapping. The FTC has lately released guidance on SIM swapping after attacks increased.
As more companies use multi-factor authentication, attacks that get around MFA also increased. The surge in attacks caused the FBI to alert businesses that they must not depend on MFA to protect their accounts. In September, the FBI issued a Private Industry Notification and explained the ability of cybercriminals to circumvent multi-factor authentication by means of a range of different techniques.
The FBI recommends using biometrics to authenticate users instead of software-based MFA options, one-time codes or tokens. Using biometric methods to authenticate users is the safest MFA method, as long as all biometric data are stored safely.