By Sumit Srivastava – Solutions Engineering Manager – India & SAARC, CyberArk
One of the most tried and tested methods for ensuring security is Multi-Factor Authentication (MFA). MFA can help block up to 99.9% of account compromise attacks, reduce reliance on risky passwords and simplify user authentication experiences with the help of behavior-based analytics. Many security teams have taken their first step toward Zero Trust by implementing MFA. That said, MFA itself is not fully foolproof, and attackers have managed to trick users into giving up their second authentication key, and in some instances, they’ve found ways to bypass MFA mechanisms completely.
Seven questions to ask for strengthening your MFA system
It is common for hackers to employ various digital and voice-based phishing techniques to steal credentials, then send repeated MFA push requests to a target’s mobile device to successfully dupe employees and third-party vendors. Hence, it is important to take a hard look at how and where you’re deploying MFA.
As you do, review these seven questions, which can ensure that your organization’s MFA deployment is progressing in the right way:
Is your MFA system currently…
Using standards-based single sign-on (SSO)? Since credentials are inherently vulnerable to compromise, look for every opportunity to use less of them. Combining MFA with SSO eliminates user friction by reducing logons and swapping passwords for more intuitive methods like device certificates or biometrics. Where possible, use or build SSO tools supporting standard protocols such as SAML or OpenID Connect.
Locking down MFA registrations? When MFA is provisioned to a user, you need ways to verify that each user is who they claim to be. Otherwise, attackers can steal passwords and try to register their own devices as authentication factors. To reduce risk, consider using an out-of-band process such as a phone call to check if a registration request was made by the legitimate; only allowing registration for one device per user; requiring a valid physical ID, such as a passport, as part of the user registration process.
Limiting MFA prompts? When users get bombarded with requests, they may respond without thinking or out of exasperation. Setting thresholds for the number of MFA prompts a user can get within a certain period can help fight user fatigue and make things harder for attackers.
Strengthened with privileged access management (PAM) controls to protect all channels? This is critical for protecting sensitive resources. With this approach, credentials for accessing a sensitive server, for example, are stored in a centralized vault. MFA is required to log into the vault and check out the credential for the server. Intelligent privileged controls make it possible to isolate sessions, so the credential is not exposed on the endpoint and monitor all credential usage, regardless of channel.
Using analytics to balance security and productivity? You are part of a rock-star team, but at some point, you all need to sleep. Leaning on AI and machine learning makes it possible to assess each access request based on historical user behavior, device, and network patterns in real time. If this context is not “normal,” the system can adapt controls such as requesting re-authentication or adjusting the level of access, and automatically detect risky activity earlier in the attack lifecycle. Analytics can help to minimize end-user friction by putting up gates only when absolutely necessary based on a risk score.
Configured to record and monitor user activity in web applications? If not, digging through logs after an incident won’t do you much good. 80% of organizations report employee misuse or abuse of access to business applications, yet nearly half have limited ability to view user logs and audit user activity. This makes it difficult to understand and control how employees and third-party partners are using web apps and handling confidential data. Take steps to configure your system to record user actions within protected apps, create complete and searchable audit trails, re-prompt users for re-authentication during high-risk sessions (via a QR code scan, for instance). Also consider endpoint controls that prevent users from copying data or downloading files.
Supported by layered defense-in-depth controls? Even the most masterfully configured MFA systems aren’t fail-proof. That’s why layering Identity Security controls and practices – such as consistently enforcing least privilege and removing standing access to sensitive infrastructure and cloud consoles – is critical. If one system fails, another stands ready to block attacks and keep sensitive assets out of harm’s way.
These questions are just some of the recommended directions which can prompt even more questions about how a unified Identity Security strategy – centered on intelligent privilege controls – can help organizations better defend against attacks, satisfy audit and compliance, and enable growth of the digital business.