{"id":43413,"date":"2020-08-19T14:30:55","date_gmt":"2020-08-19T10:30:55","guid":{"rendered":"https:\/\/www.msp360.com\/resources\/?p=43413"},"modified":"2020-12-21T15:49:31","modified_gmt":"2020-12-21T11:49:31","slug":"mfa-for-msps","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/mfa-for-msps\/","title":{"rendered":"Multi-Factor Authentication (MFA) as a Must-Have for MSPs"},"content":{"rendered":"<p>When a tech giant like Microsoft says a simple tool can prevent <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/08\/20\/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">99.9% of attacks<\/a>, that should be enough to grab your attention. Multi-factor authentication (MFA) is not a catchall security tool but it can certainly be your first line of defense against sensitive data breaches. Here\u2019s everything you need to know about making the most of any MFA system.<!--more--><\/p>\n<h2>How MFA works<\/h2>\n<p>As the name suggests, a multi-factor authentication mechanism identifies users based on multiple pieces of evidence. Any combination of the following factors constitutes a successful implementation of an MFA system.<\/p>\n<ul>\n<li>Knowledge\u2014something that the user knows\u2014a PIN or a passphrase<\/li>\n<li>Possession\u2014something that the user has\u2014a smart key or an OTP (one-time-password)<\/li>\n<li>Inherence\u2014something that the user is\u2014biometric IDs<\/li>\n<\/ul>\n<p>If only two factors are utilized, the mechanism is referred to as \u201c2FA\u201d. Not to be confused with 2-step verification, a 2FA system is a simple implementation of an MFA.<\/p>\n<p><span class=\"further-reading \">Further reading<\/span> <a href=\"https:\/\/www.msp360.com\/resources\/blog\/two-factor-authentication-solutions\/\">Two-Factor Authentication: Solutions, Methods, Best Practices<\/a><\/p>\n<p>An ideal multi-factor authentication must utilize independent factors. For example, a password to access a computer (knowledge) should not be the same as the password to retrieve an OTP from a mobile device (possession). MFA systems can be further strengthened by embedding geolocation and device signatures in the authentication layer.<\/p>\n<h2>MFA System Adoption Rate<\/h2>\n<p>Recent data breaches have forced many companies to take a more holistic approach to secure their assets. While network and data security continue to be a priority, adoption of MFA system ties up any loose ends left behind.<\/p>\n<p>A <a href=\"https:\/\/www.lastpass.com\/state-of-the-password\/global-password-security-report-2019\">LastPass survey<\/a> concluded that 57% of enterprise clients around the world implement MFA. Last year alone recorded a growth of over 12%. The COVID-19 pandemic has only added to this trend by bringing remote work to the mainstream. These are the key contributors to an increased MFA system adoption rate:<\/p>\n<ul>\n<li>The popularity of biometrics: With an array of biometric identification technology available today, there\u2019s hardly anyone left out. The dramatic improvement in the imaging capability of consumer electronics and robust blockchain implementation of scanned images has taken biometrics to a whole new level.<\/li>\n<li>Availability of authentication apps: The better integration and built-in security of authentication apps have improved the adoption of MFA. These apps boost consumer confidence with a multi-platform presence and hassle-free recovery options.<\/li>\n<\/ul>\n<h2>How Hackers Get Past MFA System<\/h2>\n<p>Like any other security measure, MFA is not foolproof. Since the MFA system is nothing but a combination of other single-authentication methods, a hacker can specifically attack individual elements. Other attack vectors could involve behavioral factors or faulty technical implementation. Here are some common scenarios:<\/p>\n<ul>\n<li>Brute-force attacks: When attackers try out common passwords with random user IDs, they might get lucky a couple of times. This is particularly an issue with MFA system. For instance, some MFA systems only slow down the repeated login attempts, instead of locking them out. A single-authentication system responds better to this threat by limiting failed attempts.<br \/>\n<span class=\"further-reading \">Further reading<\/span> <a href=\"https:\/\/www.msp360.com\/resources\/blog\/password-management\/\">Password Management Best Practices for MSPs<\/a><\/li>\n<li>Biometrics theft: Being sensitive, biometrics are handled carefully across the board. However, a normal use case may ultimately employ them on multiple machines over the cloud. This exposes vulnerable biometric data to attackers, who might be able to recreate them, even if they can\u2019t get their hands on them. Once they have a copy of the user\u2019s biometrics, an MFA system breach becomes a piece of cake.<\/li>\n<li>Intercepting cookies: Cookies contain important user data on the browser for a streamlined user experience. This includes sensitive data like multi-factor authentication credentials. An attacker can utilize any number of side-channel attacks to obtain this data and gain access to sensitive accounts. Because of many unpatched and even zero-day vulnerabilities out in the wild, an unsuspecting user may not even know about the breach.<\/li>\n<li>Local access: If local admin access is compromised, all the data in a user\u2019s system is exposed to vulnerabilities. This can include biometrics or other data that may lead to a breach of MFA system. Even if strong encryption prevents data theft, local access can expose other insightful information about the user. This can help attackers to make more-informed guesses on other attack surfaces.<\/li>\n<li>SIM cloning: Wireless providers are increasingly abandoning physical SIM cards by adopting virtual SIMs. Digital copies open the door to the mass cloning of SIM data, enabling attackers to intercept a victim\u2019s communications. This means they have seamless access to MFA tokens. Being the most popular possession factor in any MFA system, SMS OTPs expose a large number of users to vulnerabilities.<\/li>\n<li>Recovery attack: While most MFA systems are very secure, they are forgiving when it comes to recovery. This ensures that users have access to the most sensitive data in situations of urgency. Attackers know this full well and prey on vulnerable users. They impersonate a forgetful user and try to gain access to their accounts with wild guesses. MFA systems utilizing security questions for recovery are particularly vulnerable. For example, a determined hacker can easily guess the model of a user\u2019s first car!<\/li>\n<li><a href=\"https:\/\/www.msp360.com\/resources\/blog\/social-engineering-prevention\/\">Social engineering<\/a>: When everything else fails, an attacker can turn to social engineering to exploit innocent users. A social engineering attack can take many forms. It can be as simple as a phishing email or a more elaborate scheme where the users are actively targeted with personalized baits. No MFA vendor can fully address this vulnerability, as this scheme relies heavily on behavioral factors.<\/li>\n<\/ul>\n<div class=\"call-to-action\">\n<div class=\"call-to-action__left\">\n<div class=\"call-to-action__tag\">FREE ASSETS<\/div>\n<div class=\"call-to-action__title\">MSP\u2019s Assets to Stay Safe from Phishing<\/div>\n<div class=\"call-to-action__text\">Check out our assets that will help you to minimize the risk of a phishing attack, reduce the possible damage, and increase security awareness.<\/div>\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-a13a0279-a667-42d1-8ecd-608964d3c162\" data-portal=\"5442029\" data-id=\"a13a0279-a667-42d1-8ecd-608964d3c162\"><span class=\"hs-cta-node hs-cta-a13a0279-a667-42d1-8ecd-608964d3c162\" id=\"hs-cta-a13a0279-a667-42d1-8ecd-608964d3c162\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/a13a0279-a667-42d1-8ecd-608964d3c162\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-a13a0279-a667-42d1-8ecd-608964d3c162\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/a13a0279-a667-42d1-8ecd-608964d3c162.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div>\n<div class=\"call-to-action__right\"><img decoding=\"async\" style=\"max-width: 300px;\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2019\/06\/Phishing_CTA-1.png\" alt=\"WP icon\" \/><\/div>\n<\/div>\n<h2>MFA System Attacks Prevention<\/h2>\n<p>Even with many loose ends, MFA is preferable to any single-authentication system. Below are some actionable steps to prevent MFA system attacks:<\/p>\n<h3><strong>Choose the Right MFA Vendor<\/strong><\/h3>\n<p id=\"last\">Choosing the right vendor is as important as implementing MFA system itself. While most vendors tend to prioritize security, some give more weight to user experience and reporting. Attackers are actively looking for any weak points they can find, and vendors are no exception. You must pick your MFA vendor diligently and make sure they:<\/p>\n<div id=\"slidebox\"><a class=\"close\">\u00a0<\/a><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" data-portal=\"5442029\" data-id=\"4a146d91-d63d-4e82-9aab-1f5f0c43f780\"><span class=\"hs-cta-node hs-cta-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" id=\"hs-cta-4a146d91-d63d-4e82-9aab-1f5f0c43f780\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/4a146d91-d63d-4e82-9aab-1f5f0c43f780\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/4a146d91-d63d-4e82-9aab-1f5f0c43f780.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/div>\n<ul>\n<li>Use mutual SSL authentication<\/li>\n<li>Implement a lockout policy for unauthorized login attempts<\/li>\n<li>Use development best practices like SDLC<\/li>\n<li>Address social engineering attacks<\/li>\n<li>Utilize passive contextual authentication, such as geolocation<\/li>\n<\/ul>\n<p><span class=\"further-reading \">Further reading<\/span> <a href=\"https:\/\/www.msp360.com\/resources\/blog\/the-msps-guide-to-vetting-cybersecurity-vendors\/\" rel=\"bookmark\">Guide To Vetting Cybersecurity Vendors<\/a><\/p>\n<h3>Have a Trusted-Link Policy<\/h3>\n<p>Regardless of the entry point, a malicious link can challenge any MFA system. Major software and hardware vendors struggle to stop side-channel and RCE attacks initiated by just a simple link. A trusted-link policy alone can eliminate many attack vectors. A trusted-link policy may include:<\/p>\n<ul>\n<li>Only clicking links from verified senders<\/li>\n<li>Disabling links from email by default<\/li>\n<li>Scanning links for security before clicking them<\/li>\n<\/ul>\n<h3>Make Education the Center Stage<\/h3>\n<p>To reap all the rewards of MFA, you must stay on top of education, both as an administrator and as an end-user. Adapting to the changing security environment is the only way to stay secure. The inclusion of periodic hacking awareness in all end-user training sessions is a must.<\/p>\n<p><span class=\"further-reading \">Further reading<\/span> <a href=\"https:\/\/www.msp360.com\/resources\/blog\/end-user-training-guide-for-msps\/\" rel=\"bookmark\">Guide to End-User Training<\/a><\/p>\n<h3>Monitor Security Hygiene<\/h3>\n<p>No MFA system is secure if any of the involved factors are exposed to vulnerabilities. Users must practice security hygiene at all times. For example, users must:<\/p>\n<ul>\n<li>Prefer local OTP generation over SMS OTPs<\/li>\n<li>Use out-of-band authentication whenever possible<\/li>\n<li>Avoid password sharing, recycling, and replay<\/li>\n<li>Pick unique password combinations<\/li>\n<li>Avoid generic answers to recovery questions<\/li>\n<li>Avoid suspicious sites and recognize spammy behavior<\/li>\n<li>Avoid public and unsecured network connections whenever possible<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>While MFA is not unhackable, it continues to provide unmatched protection. MFA attacks are rare and mostly target soft attack surfaces\u2014phishing, social engineering, and the like. These vulnerabilities can easily be addressed through education and general security hygiene. Combined with other measures, the MFA system can prove to be a strong and effective security tool.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When a tech giant like Microsoft says a simple tool can prevent 99.9% of attacks, that should be enough to grab your attention. Multi-factor authentication (MFA) is not a catchall security tool but it can certainly be your first line of defense against sensitive data breaches. Here\u2019s everything you need to know about making the [&hellip;]<\/p>\n","protected":false},"author":59,"featured_media":43419,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,884],"tags":[],"class_list":["post-43413","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-articles","category-msp-business-articles"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/43413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/59"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=43413"}],"version-history":[{"count":0,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/43413\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/43419"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=43413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=43413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=43413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}