Required MFA is not sufficient for strong security: Report

Multi-factor authentication (MFA) is among the most useful measures companies can use against the rise in credential attacks, but attackers are adapting, as demonstrated in a variety of bypasses that allowed them to infiltrate networks — even those protected by MFA.

In an analysis of recent attacks, identity and access management firm CyberArk found at least four ways that attackers, including its own red teams, could circumvent MFA or at least greatly diminish its benefits. Attackers behind the SolarWinds Orion compromise, in a recent example, stole the private keys for single sign-on (SSO) infrastructure at many companies and then used those keys to bypass MFA checks.

Companies must model these threats and ensure their MFA infrastructure does not have the same weaknesses, says Shay Nahari, vice president of red team services at CyberArk.

“Over the last year, we have seen a spike in companies who have MFA as part of their security control — which is always good — but we have also seen some MFA-based attacks during post-breach activities on our clients,” he says. “They used it both for the initial access, and we saw attackers who got access in some other way, and then pivot to gain more sensitive access.”

Both businesses and consumers worried about the increase in account compromise have adopted MFA. In 2019, a bi-annual report tracking the adoption of two-factor authentication found 53% of respondents used it to secure important accounts, up from 28% in 2017. Another study, funded by Microsoft, found 85% of executives expected to have MFA implemented by the end of 2020.

The benefits are clear: Microsoft maintains that accounts with MFA are 99.9% less likely to be compromised.

To read the complete article, visit Dark Reading.