We’ve just published a new white paper on identity security with a particular focus on strengthening MFA – you can get a copy from our portfolio (registration required, FYI). Getting this research done and across the line has been a dream for a long time. Well, about a year in its direct planning, but that builds on a research interest that spans more than half a decade.
MFA is a critical security defense. We encourage everyone to use it, and to use the strongest versions of it that they can, as often as they can, in as many places as they can. There are multiple “however” statements about MFA, though, such as “not all forms of MFA are created equal” and “MFA bypass has become a thing.” Here’s a paragraph re MFA from one of our reports in March 2021:
MFA was rated as the most effective mitigation against both phishing and ransomware in our research. Without MFA protections in place, phishing attacks that result in credential compromise hand a threat actor the key to the door. It is an open invitation to walk in, take whatever they want, and stay or leave at their whim. MFA increases the difficulty level in successfully leveraging compromised credentials, because a compromised username and password are no longer enough on their own. It is similar to having an alarm system just inside the door, a guard dog patrolling the premises, or a security guard performing additional checks on whomever walks in the door. In the same way that there are options for how physical premises are safeguarded beyond a lock, there are options for MFA too …
The report then talks about phone and email-based MFA, authenticator apps, and hardware security keys and biometrics – commenting on strengths and weaknesses of the respective approaches.
Almost a year earlier we’d said this in our report on Cybersecurity in Financial Services (April 2020):
Approaches for MFA are available on a good-better-best continuum, with good (SMS code, email notification) and better (Authenticator app) approaches still being vulnerable to carefully designed phishing attacks. At present, the best approach, which ideally would be provisioned for all employees who have access to sensitive, data, is to use modern hardware security keys based on FIDO2/WebAuthn that use public-key cryptography.
There’s a very similar paragraph in our Cybersecurity in Government report (December 2019), too.
Net-net: this has been on our radar for a long time, and the purpose of the new research was to dive as deeply as possible into where organizations are at with MFA and identity security. The current research went through several design concepts before we found the right shape and format. More on that later.
Leave a Reply