Most users probably access your organization's internal resources and systems with passwords. However, passwords are no longer enough. A staggering 81% of breaches are caused by weak, reused, or stolen passwords, underscoring the ease with which compromised credentials can lead to significant data breaches. Additionally, over 80% of basic web application attacks stem from stolen credentials, highlighting the direct link between password security and application vulnerabilities. Enterprises must enhance their access processes by implementing Multi-Factor Authentication (MFA) to safeguard their sensitive data and protect against security threats. Getting users' passwords isn’t really that hard anymore. In fact, bad actors employ advanced technology that allows them to snowshoe (test billions of password combinations per second), rendering 90% of user-generated passwords susceptible to attacks. MFA significantly enhances security by requiring a second piece of information to verify a user’s identity. The additional 20 seconds a user spends receiving a code via SMS provides a level of protection that a password alone cannot offer. And exacerbating the issue, enterprise users frequently reuse credentials and share them with colleagues to avoid the hassle of creating new accounts, exposing and creating incremental vulnerabilities that threat actors exploit.The Role of MFA in Enterprise Security
Why MFA Matters
Given the velocity and increased sophistication of cybersecurity attacks, it's clear that passwords simply don’t provide the security needed to safeguard valuable enterprise assets. Statistics paint a vivid picture both of the prevalence of attacks due to stolen or compromised credentials and the repercussions that ensue:
- 81% of breaches are caused by weak, reused, or stolen passwords. This highlights how easily compromised credentials can lead to significant data breaches (Verizon).
- Breaches involving stolen or compromised credentials take an average of 88 days to resolve, significantly longer than other types of breaches, which adds to the overall cost and impact (Varonis AI).
- 57% of organizations report daily or weekly phishing attempts, making phishing the leading method for initial breaches. This statistic illustrates the persistent threat posed by social engineering attacks targeting passwords (Varonis AI).
- 38% of Americans have had at least one password compromised, indicating a widespread vulnerability among users (The Tech Report).
- Over 80% of basic web application attacks are the result of stolen credentials, showing the direct link between password security and application vulnerabilities (Norton Sec).
- 82% of data breaches involve data stored in the cloud (IBM, 2023).
By requiring an additional level of verification, such as a code sent to a mobile device or a biometric scan, MFA significantly enhances security by making it much more difficult for unauthorized individuals to gain access even if they have stolen passwords.
How MFA Addresses Different Attack Types
| Attack Type | How MFA Helps |
|---|---|
| Phishing attacks | Even if users are deceived and provide their username and password, the attacker still needs the second factor (e.g., a code sent to the user's phone or an authentication app) to gain access. This additional layer makes it significantly harder for attackers to complete the breach. |
| Password spraying | MFA requires not just a password but also another form of authentication. Even if the attacker successfully guesses a password, they would still need access to the user's second factor, such as a fingerprint, a code sent to a phone, or a hardware token. |
| Credential stuffing | If an attacker uses stolen credentials, they still need the second authentication factor. Without it, their attempts to log in will fail, effectively neutralizing the risk from these compromised credentials. |
| Brute force attacks | MFA requires a second authentication factor that is usually time-sensitive or dynamically generated. This means that even if the attacker manages to guess the password, they will still be unable to provide the required second factor, which changes frequently. |
| Man-in-the-Middle (MITM) attacks | Even if an attacker intercepts the username and password, they would need the second factor in real-time to gain access. MFA tokens are usually valid for a short period, making it extremely difficult for MITM attackers to capture and use them effectively. |
| Insider threats | MFA ensures that even if an insider knows the password, they also need the second authentication factor, which is often not accessible to them. This limits the risk of unauthorized access by insiders. |
| Account takeovers | MFA requires an additional form of verification beyond the password. If an attacker tries to take over an account, they will need the second factor, which significantly reduces the likelihood of a successful account takeover. |
| Replay attacks | MFA tokens are usually time-bound or session-specific. This means that even if an attacker captures an authentication token, it will likely be invalid by the time they try to reuse it, thwarting their efforts. |
The Top 5 Advantages of MFA
MFA provides enterprises with important advantages both to their security posture and infrastructure operations, including:
1. Enhanced Security
A security breach can result in substantial losses of data, resources, time, and money. In fact, In 2023, the average cost of a data breach hit a record high of $4.5 million, marking a 2.3% rise from the 2022 figure of $4.3 million. Looking at the long-term trend, there has been a 15.3% increase from the $3.9 million reported in 2020. MFA adds an extra layer of security to the login process, making it harder for attackers to impersonate legitimate users. By requiring multiple pieces of information to authenticate identity, MFA significantly reduces the chances of unauthorized access to accounts and systems.
2. Mitigate Organizational Risks
Passwords are often the weakest link in security, and breaches frequently occur due to compromised credentials. MFA helps prevent password-related attacks by requiring additional forms of identification, ensuring that even if an attacker obtains a user’s password, they still cannot gain access without the second authentication factor.
3. Reduce Phishing Attacks
MFA helps mitigate phishing attacks by requiring additional verification beyond just a password. With MFA, even if a password is compromised, the attacker still needs the second factor, reducing the effectiveness of phishing attempts.
4. Meet Compliance Mandates
Many industries – including healthcare, financial services, defense, law enforcement, governmental agencies – are mandated to adhere to regulations that mandate the use of MFA for accessing sensitive data. Implementing MFA helps organizations comply with these regulations, avoiding potential fines and legal issues while enhancing data protection. For example, financial services organizations are bound by the Gramm-Leach Bliley Safeguard Rule that requires them to implement MFA for both internal and external users who touch customer data.
5. Provides Real-Time Alerts
MFA systems can alert users of any attempts to access their account or system from unfamiliar devices or locations. This enables users to take immediate action, such as changing their passwords or locking their accounts, to prevent potential data breaches.
How MFA Works
MFA protects your applications and data against unauthorized access due to credential theft by verifying your users’ identities before they access your data. It works by requiring multiple factors to be confirmed before permitting access versus just an email and a password. Authentication factors can be something you know, like a password; something you have, like your device or a security key; something you are, like your personal fingerprint (biometrics); somewhere you are, like your location; and your level of access based on adaptive policies.
The following are the methods that MFA can authenticate a person based on these factors:
Something You Know
- Passwords: Users create a unique combination of letters, numbers, and symbols. The strength of a password is crucial as it should be difficult for others to guess.
- PINs (Personal Identification Numbers): Typically shorter and numerical, PINs are used for quick authentication, such as unlocking devices or accessing secure accounts.
- Security Questions: Users answer predetermined questions (e.g., "What is your mother's maiden name?") that are supposed to be known only to them. However, these can be less secure as the answers might be easily guessable or obtainable.
Something You Have
- Hardware Tokens: These are physical devices that generate a time-sensitive code. The user enters this code along with their password to gain access. Examples include RSA SecurID tokens.
- Smartphones: Modern MFA often utilizes smartphones to send authentication codes via SMS, generate codes through authenticator apps (like Google Authenticator), or receive push notifications for approval.
- Smart Cards: These cards store encrypted data and must be inserted into a reader to authenticate the user. They are commonly used in corporate environments.
- USB Tokens: Devices like YubiKey plug into the USB port of a computer and authenticate the user by generating a unique code or simply by being present.
Somewhere You Are
- IP Address Verification: Systems can check the user’s IP address to ensure they are logging in from an expected network location. If a login attempt is made from an unusual IP address, additional authentication may be required.
- GPS Location: Mobile devices with GPS capabilities can be used to verify the user’s location. For example, if a user typically logs in from New York and suddenly attempts to log in from another country, the system can flag this as suspicious.
- Wi-Fi and Network Locations: The network environment can also be used as an authentication factor. Known and trusted Wi-Fi networks can serve as an additional layer of verification.
- Proximity to Trusted Devices: Systems can use Bluetooth or other proximity-based technologies to determine if the user is near a trusted device, such as a smartphone or a specific computer.
Enhance Enterprise Security with StrongDM
StrongDM takes a unique approach to adding MFA everywhere it's needed across modern environments, even for resources that aren't typically covered by MFA. Read our blog on why enterprises should adopt MFA to learn more.
Book a demotoday to see how StrongDM can enhance your security and efficiency.
About the Author
John Martinez, DAM Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the DAM Evangelist at StrongDM, taking the message of Dynamic Access Management to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.
💙 this post?
Then get all that StrongDM goodness, right in your inbox.
