Mandatory MFA Everywhere: The Benefits of Stronger Authentication for Cloud Environments

June 29, 2021

One of the biggest security threats today is the risk of compromised credentials and misuse of privileged accounts. Organizations of all sizes and verticals recognize the need to protect access to their applications, servers, and infrastructures. However, it is often hard to distinguish between a legitimate admin presenting a legitimate ID and password versus a threat actor using compromised credentials.

The threat is no longer only from humans but also bots and malware, making it more challenging to make proper identity decisions. Many organizations struggle with how to do this comprehensively across their distributed infrastructure.

As security professionals, our job is to put up barriers to reduce cyber risk exposure from external and internal threat actors. One of the most effective and easy-to-implement best practices is to enforce multi-factor authentication (MFA) everywhere, requiring additional validation steps for extra identity assurance.

MFA is an easily added layer of security for administrator access. By making it mandatory, we can automatically block many malicious sign-in attempts.

Regulated industries such as financial services, healthcare, and e-commerce industry verticals are under regulatory pressures from several bodies (such as PCI, HIPAA, PSD2, DFARS, NIST, etc.) to implement MFA for privileged access. MFA is also an integral component of best practices such as Zero Trust and zero standing privileges.

According to Gartner, through 2021, enterprises that rapidly expand remote access without implementing MFA will experience five times as many [account takeover] incidents as those that use MFA.[1]

With a rising demand for cloud-based MFA solutions and services, it helps to gain deeper insights into how different forms of MFA can increase your cybersecurity maturity.

Adaptive and Behavioral MFA

With MFA, ThycoticCentrify Privileged Access Management (PAM) asks users to prove their identity by providing additional factors before access is granted or privileges are elevated.

MFA policies apply to three distinct situations:

  • During a login process, users log into the Centrify Vault Suite or Centrify-managed computers (directly or via a Vault Suite-initiated session).
  • Within Vault Suite, during vaulted password or SSH key check out or during vaulted secret retrieval.
  • During a step-up authentication process, users elevate privilege to run administrative commands on Linux or UNIX, privileged applications on Windows machines, or Web applications from the Vault Suite.

There's no doubt that MFA is the must-have extra layer of security and has proven to be a great success in securing privileged accounts and applications. However, how you do MFA can make a difference in finding the right balance between security and usability.

Are you following the traditional MFA approach, or stepping up to adaptive and behavioral MFA?

  • Traditional or legacy MFA solutions use static rules to define the MFA prompts that lack the ability to authenticate in the dynamic context. The static approach forces everyone to follow similar rules under all circumstances and fails to measure risk accurately.

  • Then we step ahead to contextual MFA where the context needs to be defined, such as from which location, device, or network you're logging in. This method requires more care, feeding, maintenance, and upkeep, and all possible risky conditions may not have been considered.
  • A much more innovative and secure approach is behavioral MFA that adapts to the changes in user session behavior to block or grant access. ThycoticCentrify PAM also supports risk-based MFA using modern machine learning algorithms and behavioral analytics to carefully examine a privileged user's behavior and identify "anomalous" or "non-normal" (and therefore risky) activities. Machine learning can scrutinize millions of events continuously, which would never be achievable by manual forensics. This analysis is fast, allowing ThycoticCentrify PAM to determine risk and react in real-time.

Adaptive and behavioral controls not only notify of risky or rogue activity in real-time but are also able to actively respond to incidents by cutting off sessions, adding additional monitoring, or flagging for forensic follow-up.

ThycoticCentrify supports a broad range of authenticators to provide flexibility to your IT staff, and supports MFA across the enterprise for access to AWS infrastructure, at password checkout, session initiation, server login, or when elevating privilege.

Mandatory MFA Everywhere

When you think of MFA, the first use case that pops up is admin access. MFA must be mandatory for IT admins or privileged users who have access to sensitive data and systems.

A best practice is MFA that supports National Institute for Standards and Technology (NIST) Authenticator Assurance Level-2 (a minimum of two factors) and ideally Authenticator Assurance Level-3 (one of the factors is a hardware crypto device) for admin functions.

Besides applying MFA across the different privileged activities, organizations should also enable MFA across all sensitive resources like password vaults, firewalls, network devices, workstations, and servers that reside on-premises or in the cloud.

Many PAM vendors only support MFA at vault login. However, MFA at password/secret checkout, system login, or privilege elevation is far more secure, reducing the risk of privilege abuse.

Since MFA is so critical for risk mitigation, several of our clients requested an option to make MFA mandatory at Vault Suite log in to eliminate users forgetting to set up required MFA settings.

In the latest release of the ThycoticCentrify Platform, you can now enforce this by policy. Users logging in to the Centrify Vault Suite for the first time are invited to configure second factors necessary to satisfy organizational MFA policies. This allows IT to build policies tailored to different users who don't have access to the same mechanisms. This is an example of ThycoticCentrify responding to critical requirements from a few of our clients that are beneficial to our broader customer community.

MFA is one of the most effective and easiest on-ramps for PAM, providing a lot of value with minimal effort. MFA also continues to evolve, offering peace of mind that critical administrative access points are well protected.

By adopting an approach where MFA is used everywhere possible, organizations can establish a reliable deterrent and ultimately minimize the risk of lateral movement of threat actors across their networks.

Additional resources:


[1] Gartner, “Enhance Remote Access Security with Multifactor Authentication and Access Management,” Ant Allan, Michael Kelley, Rob Smith, 06 May 2020.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.