Having recently attended a security presentation from Cisco, one of the speakers (by all accounts a Jedi) made the comment, “if you are not using MFA you are crazy!”.
So what is MFA?
The premise is, at its base level, details “something you know, something you own and something you are”. Sometimes called two-factor authentication it adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that’s considered a single-factor authentication.
Its 2019 and the concept that “passphrases-will-save-us”, and so on seems a distraction, you should be using more than one of the following methods to authenticate;
- Something you know, such as a personal identification number (PIN), password or a pattern.
- Something you have, such as an ATM card, phone, or fob (Yubikey).
- Something you are, such as a bio-metric like a fingerprint or voice print.
Because here’s the thing: When it comes to composition and length, your password probably doesn’t matter.
Here are some ways passwords are broken today;
Credential Stuffing, is one of the most common methods because passwords are hard to remember (62% of users admit to reuse). Essentially the tools are out there for a surprisingly low cost. Very easy: Purchase credential lists gathered from breached sites with bad data at rest policies, test for matches on other systems. There are even list cleaning tools are readily available.
Phishing or man-in-the-middle attack makes up 0.5% of all inbound email. How does this play out? Let’s say you received an email that appeared to be from your bank, asking you to log in to your account to confirm your contact information. You click on a link in the email and are taken to what appears to be your bank’s website, where you log in and perform the requested task.
In such a scenario, the man in the middle (MITM) sent you the email, making it appear to be legitimate. (This attack also involves phishing, getting you to click on the email appearing to come from your bank.) He also created a website that looks just like your bank’s website, so you wouldn’t hesitate to enter your login credentials after clicking the link in the email. But when you do that, you’re not logging into your bank account, you’re handing over your credentials to the attacker.
Keystroke logging, password spray and brute force methods are lower on the spectrum but if you are not considering the security of your data and IT systems a priority, it’s easy to see how hackers can make a good living.
What can I do?
Organizations can help by implementing stringent password policies with Single Sign On (SSO) to mitigate the problem of users having to remember more than one set of credentials, or you could just enable MFA. Ultimately, passwords can be hacked and at that point MFA is your safeguard.
Given the likelihood that your password gets guessed, intercepted, phished, or re-used.
Your password doesn’t matter, but MFA does! Based on Microsoft studies, your account is more than 99.9% less likely to be compromised if you use MFA. In-fact Microsoft are announcing the public preview of FIDO2 security keys support for passwordless sign-in to Azure Active Directory (Azure AD).
Here at Dream Technology Solutions we have the experience and expertise to ensure you are working to best practices when it comes to the security of your people and IT systems. Drop us a line if you are interested in exploring how we can help you to secure your business.