Investigate most data breaches, and the analysis will likely uncover that compromised credentials were used at some point during the attack. Rather than rely heavily on malware or zero-days, today’s threat actors often look to compromise a user identity with the hope that it will provide them with access to sensitive systems and data.
Defense-in-depth requires that organizations take a layered approach to security. For forward-thinking enterprises, that approach starts with an emphasis on identity. In a perfect world, networks would be able to trust that a user or device attempting to access a resource or service is who and what they present themselves to be. With attackers targeting credentials, however, the threat of an attacker leveraging the trust assigned to legitimate systems, applications, and users is omnipresent.
By providing additional authentication challenges, multi-factor authentication (MFA) reduces the effectiveness of an attack relying simply on stolen credentials. A stolen password and user ID alone are no longer sufficient to grant the attacker access. Without the additional authentication mechanisms, the threat actor is stopped in their tracks. In effect, this allows multi-factor authentication (MFA) to raise the bar attackers have to clear to be successful.
Multi-factor authentication (MFA) schemes can take a number of forms. In corporate environments, they typically involve a combination of two or more of the following elements: a physical object the user must have, such as a key card; something the user must know, such as a password; the user’s biometric data; or the user’s geographic location. If the user or device fails to pass one of these checks, they are not authenticated on the network.
For privileged accounts, multi-factor authentication (MFA) offers a final check before access is permitted and can be triggered by the context of a request. If a user is requesting access to a resource, they do not normally access at a time outside of normal working hours, for example, that may be considered suspicious and prompt an additional challenge. Best practices for privileged account multi-factor authentication (MFA) is for it to occur during three phrases: when the user first logs in; when they attempt to access a high-value resource; and during a previously authenticated session, if they issue a command requiring administrator-level privilege.
The most mature enterprise security programs often utilize multi-factor authentication (MFA) everywhere. Instead of only leveraging the technology on a limited basis, organizations that use multi-factor authentication (MFA) everywhere enable the capability across their entire userbase. When attackers are able to penetrate a network, they typically look to move laterally to find sensitive data and deepen their compromise. By deploying multi-factor authentication (MFA) everywhere, organizations make it more difficult for threat actors to pivot to more critical systems and strengthen their foothold in their victim’s environment.