Is MFA the Vegetable of Cybersecurity?

Don’t fuss now — just another spoonful of multifactor authentication to keep the organization strong and the data safer.

Like it or not, vegetables are good for us. They reduce our risk of chronic diseases and deliver the vitamins our bodies need. And yet, the CDC reports that only 10% of American adults eat enough veggies — even though they likely know they should. Companies are the same when it comes to security.

There are 921 password attacks every second — almost double what we saw a year ago. Basic security hygiene like multifactor authentication (MFA) can protect against 98% of attacks, but 38% of large companies and 62% of small to midsize companies don’t do it. Enabling MFA adds another layer of protection to prevent threat actors from accessing internal networks. But if strengthening a company’s cybersecurity posture is as easy as enabling MFA, it begs the question: Why won’t companies eat their vegetables?

What’s Stopping Companies From Enabling MFA?

Although every enterprise is different, there are a few common trends when it comes to the reasons they don’t deploy MFA.

• MFA costs too much: Security team resources are already limited, so adding an additional tool to their portfolio can be a tough sell. Luckily, some security providers offer MFA for free as part of their security defaults. Security defaults were created to make managing security a little easier. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

• They think their users will hate MFA: Users want to be productive wherever and whenever they are working without sacrificing their organization’s security. Conditional access is one modern approach to MFA. Instead of prompting a user for a second factor every time they authenticate, security programs can look at several different elements to determine if something has changed or is unusual about this user before prompting them. It looks at things like where the user is signing in from, whether their device is healthy, and if there’s any suspicious behavior — for example, if the user typically signs in from France and someone tries to sign in with their credentials from Seattle at the same time, something is definitely wrong.

  End users can also choose how they want to supply the second factor when they do get a prompt. No fancy equipment is required. Users can choose something as simple as an SMS message or phone call, though we recommend stronger authentication methods like an app or specific security key. They can even have multiple devices that use different methods for different environments and have backup devices in case they lose one or forget one at home.

  MFA’s Too Hard to Deploy

  Another reason enterprises give for not implementing MFA is that it’s too difficult to deploy. However, organizations can leverage conditional access policies to protect cloud implementations, as opposed to relying on a physical server or software.

  We’ve recently added conditional access templates to make configuring the policies even easier. Security teams can quickly create a new policy from any of the 14 built-in templates. They help companies provide maximum protection for their users and devices and align with the most commonly used policies. These include things like “Require multifactor authentication for admin,” or “Require password change for high-risk users.” Cloud service providers often offer a list of recommended policies, and organizations can target conditional access policies to a specific set of users, apps or devices to easily deploy different policies at scale.

  Ultimately, an enterprise must be able to protect its own operations, and its users, from ongoing cybersecurity threats. And enabling MFA is just one tool in a security team’s kit.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors’ Choice

Jeffrey Schwartz, Contributing Writer, Dark Reading

Tara Seals, Managing Editor, News, Dark Reading

Elizabeth Montalbano, Contributor, Dark Reading

Dark Reading Staff, Dark Reading

Webinars

• How to Protect Your Legacy Software Applications
• Developing and Testing an Effective Breach Response Plan
• Cloud Security Essentials
• Seeing Your Attack Surface Through the Eyes of an Adversary
• Security Considerations for Working with Cloud Services Providers

Reports

• How Machine Learning, AI & Deep Learning Improve Cybersecurity
• Implementing Zero Trust In Your Enterprise: How to Get Started
• 2021 Data Breach Investigations Report (DBIR)
• Cloud & Hybrid Security Tooling Report
• Future Proofing Your Network for 5G

White Papers

• How Machine Learning, AI & Deep Learning Improve Cybersecurity
• Ransomware Resilience and Response: The Next-Generation
• Ransomware Is On The Rise
• How Hybrid Work Fuels Ransomware Attacks
• Implementing Zero Trust In Your Enterprise: How to Get Started

Events

• Cybersecurity Outlook 2023 - December 13 Event
• Black Hat Europe - December 5-8 - Learn More
• [FREE Virtual Event] The Identity Crisis