How to meet evolving MFA demands in the current threat landscape

Multi-factor authentication (MFA) is a crucial weapon in the fight against cybercrime, significantly enhancing online security for businesses and individuals. However, cybercriminals don’t stand still – and neither should your MFA defenses.

So how can you stay on top of rapidly evolving requirements? 

MFA is a standard cybersecurity recommendation today.  While it comes in different forms, the more lines of defense you have, the better. Two-factor authentication (2FA), for example, is a form of MFA. But as the name suggests, it relies on just two layers of security, such as a password followed by a confirmation via a one-time passcode sent through text or email.

A stronger approach would go beyond two steps, to perhaps also include a biometric approach, like a facial scan or fingerprint. 

MFA is backed at the highest levels. No less an authority than the US Cybersecurity & Infrastructure Agency (CISA) extols the benefits of MFA over the traditional approach of using a password on its own (even if it’s a strong password). 

“Users who enable MFA are significantly less likely to get hacked. Why? Because even if a malicious cyber actor compromises one factor (like your password), they will be unable to meet the second authentication requirement, which ultimately stops them from gaining access to your accounts,” CISA notes.

Organizations have been paying attention. According to Statista, the global MFA market was valued at almost $13 billion in 2022 and was set to double in value by 2027. 

Changing regulatory oversight

There’s a growing regulatory demand for MFA, too. It’s a requirement in PCI-DSS 4.0, a core framework for global organizations that store, process or transmit cardholder data.

This refers to the Payment Card Industry Data Security Standard, designed to protect cardholders and businesses that handle cardholder data from cyberattacks and breaches. PCI DSS 4.0 came into effect on April 1, 2024.

As part of the new requirements, organizations must implement MFA for all access into their cardholder data environment (CDE). 

In the EU, MFA is included as part of the Revised Directive on Payment Services (PSD2), which requires strong customer authentication (SCA).

“In essence, this directive ensures that transactions occurring within the EU’s economic territories make use of multi-factor authentication in order to verify a buyer’s identity,” notes the Payments Association EU.  

Regulations and recommendations are being updated to meet the growing danger of hackers circumventing MFA. As noted by the International Association of Privacy Professionals (IAPP), in two recent cases, the US Federal Trade Commission (FTC) ordered companies to require phishing-resistant MFA for their employees, contractors, and affiliates.

This came on top of new guidance from CISA that warned of the vulnerability of some forms of MFA to attacks like phishing, prompt bombing and more. 

New dangers to MFA

MFA is powerful, especially when it goes beyond two factors, but organizations shouldn’t think of it as impenetrable. Unfortunately, there are several ways that MFA can be compromised. 

Take ‘prompt bombing’, for example. Modern authentication apps offer push notifications to prompt users to accept or deny a login request. This has obvious benefits. However, it can also be exploited by attackers; if they’ve compromised a password, they could attempt to log in and generate an MFA response.

They might send these prompts over and over, hoping the user accepts one, either because they believe them to be genuine or because they simply want to silence the notifications. 

Sometimes these attacks deploy additional social engineering, where they nudge their victim towards accepting a prompt by falsely posing as another person, for example, a representative of an IT team.

This subtle technique can be used in other ways: it could see criminals trick helpdesks into bypassing MFA altogether by pretending to be real customers who’ve forgotten their passwords, gaining access via a phone call – like the recent MGM Resorts hack. 

Secure your defenses

Activities like prompt bombing are collectively known as ‘MFA fatigue’ attacks, designed to prey on the human tendency to tire of endless notifications and become immune to their warnings. And these attacks are becoming more prevalent in recent years, according to Microsoft. 

Studies by the tech giant show that around 1% of users will accept a simple approval request on the first try. If 1% sounds low, consider it across an organization with thousands of employees – that’s a lot of very risky end users.

 So how can organizations protect themselves and their clients? How can they ensure they meet evolving regulatory demands and stay at the cutting edge of an evolving domain? 

• Risk-based authentication: This approach looks at signals in the login request, searching for anomalies. It might be characteristics of the login session, like its geographic location, the time of day, or the number of login attempts from different locations.
• A secure password: The password is always the first line of attack for cybercriminals. Indeed, if someone is a victim of MFA fatigue, then the attacker has already compromised their password. There are a range of options that can help detect compromised passwords and boost their quality, uniqueness, and strength. For example, Specops Password Policy blocks over 4 billion unique compromised passwords and helps guide users to produce stronger passwords – ones they’ll actually remember. 
• A smooth password reset process: In some organizations, changing a password isn’t as easy as it sounds. In remote work scenarios in particular, users might have to call a help desk to support them through the process. Even worse, they might simply decide to ignore the problem, keeping the compromised password in place. It’s vital that people can conveniently change their password. This demand is central to Specops uReset, which enables users to reset Active Directory passwords and update local cached credentials from the Windows logon screen on their workstations, even when off VPN. 

Staying on top of MFA demands

 The cybersecurity environment is never static. The threat posed by sophisticated cybercriminals constantly evolves, while the regulatory environment tightens its approaches in response. 

 This places a burden on all organizations. However, there are opportunities as well as dangers. Those organizations that embrace MFA best practice can build security for their customers and their employees.

But when MFA is beaten, the criminals always begin by circumventing a password. It might sound simple, but this basic security measure is still crucial, no matter the updates to regulations and security technologies. If you’re vulnerable here, you’re vulnerable everywhere.

To discuss how to improve password security and receive a demo or free trial of Specops Password Policy or Specops uReset, contact the Specops team to speak to an expert today.

 

Sponsored and written by Specops Software.