Chances are you’ve heard the term MFA (Multi-factor Authentication) thrown around and how you should be using it. In our engagements, we often suggest implementing an MFA solution as a possible remediation for critical/high severity findings. Many clients see this as a very daunting and expensive endeavor, but it doesn’t have to be only for the Fortune 100! Let’s take a look at what MFA is, why it’s important, and how you can apply it to your small business.
What is MFA?
MFA is simply using a combination of different methods to prove you are who you say you are. The following methods are combined to do this:
- Knowledge (something you know) – Examples could include a password, passphrase, pin number, or answer to a security question.
- Possession (something you have) – For example, security token devices, cell phones, and smart-cards.
- Inherence (something you are) – Traditionally these are bio-metric related such as fingerprint, facial recognition, voice, iris, or even keystroke dynamics.
Keep in mind, for it to be MFA you must combine at least two separate methods from different groups. It’s a common mistake that we see in failed MFA implementations and usually results in no increased security.
Why is MFA important?
Implementing MFA is one of our most recommended solutions to organizations that we do security assessments for. The reason being, we break into a lot of client assets with password attacks that are often exploited by malicious attackers. Most users think “no one would ever target me”, “who would really attempt this password”, or the infamous “I can’t remember all these different passwords, so I’ll make it simple”. It’s easy to slide into this mindset with all the other demanding priorities in our lives but performing online reconnaissance is usually a trivial matter when things exist like LinkedIn, password breach disclosures, and your organizations online footprint. By utilizing previously disclosed breach data or attempting common passwords (Spring2020, <CompanyName>1, Password123) for every user in your organization (aka Password Spraying) it starts to become more real. The fact of the matter is an attacker has to only be right once and you have to be right every time. Do you really trust that ALL your employees are utilizing sophisticated, hard to guess, unique, and lengthy passwords for every resource they authenticate to? We find more often than not that the answer to that question is no.
By implementing an MFA solution this takes the burden off the user to only know, have, or be something that they likely already possess. It drastically increases your businesses security posture by eliminating or reducing the exposure to some popular attack methods.
What are the disadvantages of MFA?
There’s no “silver bullets” or all-encompassing solutions that will reduce all your risk to zero, so the following disadvantages should be noted:
- Usability – As with all thing’s security, there’s a tightrope walk between usability and protection. If you have a forgetful employee, they could forget their phone/security token. Additionally, they may also get frustrated at having to authenticate multiple times too.
- Not a foolproof solution – Yes, MFA can be circumvented in some instances and this has proven to have happened in the wild. These occurrences are rare but are typically the result of a poorly implemented MFA solution or easily circumvented “fallback” option such email or SMS.
- Can be costly – MFA doesn’t have to put you in the red but depending on your selection it could be a costly solution.
What’s the best MFA solution for my small business?
Each organization is different in how they operate, what they are trying to protect, how many users they have, and what resources are available to them so, there is no umbrella response pointing at a specific vendor. Instead you should focus on a few key criteria when finding the right solution for your small business. First being usability, you need to figure out what type of information or tool that is suitable for your users. You want each of your employees to have the methods readily available to them such as a cellphone or security token. If your type of business restricts these in certain areas, then that may become an issue. Next criteria, future planning or what we often refer to as scalability. You may choose to focus your MFA authentication against your VPN or email first and slowly roll it out to additional applications. Make sure that what you’re choosing will allow for easy integration into all authentication portals that you have in the foreseeable future. Lastly and certainly not least important, it comes down to cost. There are solutions that may cost more than you may bring in from your small business, so you want to ensure that you pick one that you can afford. Luckily there are multiple tiers of solutions from a cost perspective. You can choose a costly solution (ex. RSA Tokens), moderately priced (YubiKey/Duo), or even free solutions (Google Authenticator, Authy, LastPass Authenticator, Microsoft Authenticator).
Conclusion
Even after taking in the above criteria it can be difficult to ensure you’re using the right solution. In our experience the expensive solutions are not used by small businesses, but rather large ones. Moderately priced options are typically easier to roll out and usually they support more devices. Free ones in many cases are restricted to certain device types or portal applications which can be limiting, but has proven to be satisfactory for many business use cases. If you
