Conceptually, Multi-Factor Authentication can seem like the messiah we’ve all been waiting for. With Microsoft touting MFA’s ability to prevent 99.99% of cyber-attacks, surely, we have found our silver bullet – right? The golden ticket to security, right? Set up MFA and pat yourself on the back, because you need look no further into your security posture. Ladies and gentlemen, we have arrived at the golden age!
But if this is true, then why did a staggering 80% of data breaches in 2020 still involve brute force attacks and compromised credentials? Similarly, Verizon reported a massive 61% of data breaches in 2020 were a result of credential abuse. Would MFA have prevented all of these? Is the problem simply the lack of MFA enabled on privileged accounts?
Well, in many cases, the answer is yes. There is no question that MFA is a tremendous step in the right direction – and Managed IT Companies would be remiss not to prioritize its deployment across their customer domains. Google recently partnered with a team of university researchers to conduct a year-long study and found that MFA prevented 76% of targeted attacks. Unfortunately, too many have been slow to adopt this MFA, and many of them are paying the price.
This may seem to make a strong case for MFA as the Holy Grail we’ve all been waiting for, however, it is becoming increasingly apparent that, even with MFA enabled, we must remain vigilant.
As recently as May 2021, hackers successfully exploited an MFA bug to steal the SMS authentication tokens and breach the accounts of at least 6,000 Coinbase customers. Similarly, in December, Vacronis released that they identified an endpoint vulnerability in BOX’s MFA policies, allowing hackers to effectively disable MFA and login using stolen credentials. These are only two of numerous examples in recent past where MFA failed to prevent a breach.
It seems as if new MFA vulnerabilities are being discovered daily. From session hacking and unique identifier prediction to recovery code attacks and much more, there are an increasing array of new vectors for malicious actors to target and defeat MFA in order gain access to critical data and systems. Overt released a very helpful article that articulates many of the most common MFA vulnerabilities that are being used, and in summary, it’s way more possible than you might think – with a whopping 23 possible vectors defined.
What’s worse, the problem is dramatically compounded for Managed IT providers. Deploying and managing effective MFA policies across one domain set can be challenging enough, but in some cases, these IT providers are servicing hundreds of unique domains across an equal number of customers. And the problem of scale doesn’t stop there – in many cases, these MSPs are employing tens and even hundreds of technicians who need varying degrees of access across complex subsets of these customers and domains.
The unfortunate answer some MSPs have turned to is some variation of shared MFA. This may be as simple as a dedicated MFA device in the office – like an iPad, kiosk, or singular workstation where shared credentials are authenticated in one central location. Others have leveraged a shared email domain that everyone has access to for authentication, or simply enable MFA on a password vault where shared credentials are “checked out” as if they were library books.
Sadly, in addition to being a dangerous and tedious practice, shared MFA constitutes a major violation of most industry-standard security frameworks, such as HIPAA, CIS, PCI, NIST and others. The primary issue at play here is the use of shared administrative accounts. Sharing a privileged account violates the entire premise of MFA – to authenticate the identity of the user attempting to login.
What can be done? While MFA has gone a long way to minimizing a broad array of threats for MSPs, it has far from eliminated them. In general, most will agree that there is no one security measure to be taken that will fully encompass everything needed to protect businesses and their customers. In the case of MFA for MSPs, one critical step to be taken can be to ensure that each technician has a unique account on every domain they need to access, and that their credentials are frequently rotated.
Privileged account management tools like TechIDManager present the perfect and necessary compliment to an MSP’s authentication policies for themselves and their clients. Not only will the effective management of privileged accounts ensure the basic premise of MFA is valid, but also mitigate tremendous risk in the event of an exploited MFA vulnerability by automatically rotating credentials and disabling accounts as necessary.
Before an identity can truly be authenticated, it must first actually exist in all its uniqueness: unique person = unique identity = unique privileged account = unique password.