Why More Organizations Are Adopting MFA
Multifactor authentication is rapidly becoming regarded as basic security hygiene in a zero-trust network architecture world. The pandemic that jump-started the ongoing digital work revolution also prompted organizations to deploy MFA to secure those digital workspaces.
By 2021, about 62 percent of large organizations were using it, by one estimate. “At the same time, in 2022, we saw some of the most significant attacks ever on MFA systems,” Taku said. “So, why are these attacks on the rise?”
One some level, Taku said, MFA is a victim of the very trend it is meant to enable. He argued that the size of the attack surface has widened broadly as people work remotely full- or part-time, often using their own devices.
“We’re protecting people everywhere,” he said. “Mobile has really changed the game, where it’s become imperative that we not only protect the assets of the company but to propel the business forward and make information readily available to our constituents. All these things are massively disrupting the way we used to do things before, and it’s creating all these ways for attackers to exploit chinks in the armor.”
The Russian-sponsored hackers who attacked an unnamed U.S. nongovernmental organization last year certainly found some vulnerabilities.
The episode began as a brute-force attack targeting the weak password of a former NGO employee. With no limits in place on the number of unsuccessful log-in attempts that would trigger an automatic lockdown of the account, and no one monitoring the “orphan account” of a former employee, the attackers eventually guessed correctly.
The hackers used the orphan account to enroll into the MFA system itself, with only a username and password required. This was another mistake, Taku said: Better authentication protocols should have been in place for those enrolling in the MFA program.
“Here we have a problem where you can have a strong credential but a weak process for issuing that credential,” he said. “That compromised password was the only thing required to enroll in MFA. From there, the hacker had access to everything.”