MFA: Essential, but not enough on its own
IT teams often rely on multi-factor authentication (MFA) as a way to authenticate users beyond just usernames and passwords. This added authentication factor (such as something you know, have, are, or do) helps verify user identities and adds a hurdle for attackers. Threats are dynamic, real-time, and evolving. Advances in AI mean attackers are getting smarter, faster and are finding ways to bypass widely adopted security measures. While many organizations may broadly apply MFA and assume it’s enough to protect identities across their business, it’s not enough to secure an organization. Not every user poses the same risk. Not every application holds the same value. The question then becomes how to make MFA smarter, more adaptive, and better aligned to business risks and needs.
Key risks of a “one-size fits all” MFA policy
Applying a uniform MFA policy is simple to manage, but can introduce some key risks.
- Overburdening low-risk users: Can lead to friction, perception of loss of productivity and efficiency.
- Under-protection of high-value assets: For applications that contain sensitive information, such as financial systems or access to production environments, a singular authentication request is likely not enough to verify a user.
- Creating blind spots: A uniform authentication policy may authenticate a user, but may not be enough to deter attack attempts on critical assets.
MFA assumptions vs. Reality
Assumption: A standard MFA policy is all you need
With only one policy assignment to update, there’s only one standard to manage and secure. However, this singular approach can lead to a false sense of security. As the saying goes, if you’re only using a hammer, then it’s easy to treat every problem like a nail. And that leads to inflexible policies where not every action requires the same amount of scrutiny as others.
Not every action requires multiple authentication methods, while high value targets may be better suited to require multiple authentication challenges to confirm user identities.
Maybe an employee needs access to sensitive financial resources for limited periods of time only. Perhaps a third-party would like to collaborate but wants to log in using their existing Entra ID credentials rather than lose time waiting for the partner organization to provision a new account for them.
Modern defenses need to be similarly flexible, layered, adaptive and able to limit fallout in case MFA is breached. And if an organization assumes that standardized MFA is sufficient, critical risks of over-burdening users, or lacking protection for high value applications can arise.
Assumption: All MFA factors are perceived to be equal
There may be multiple authentication factor options available for users, but that doesn’t mean each authentication factor is created equally, or should be equally applied to authenticate user identities.
Threat actors now use methods such as device code phishing to steal valid MFA access tokens from legitimate users. Other malware such as keystroke logging can capture OTP codes entered by users. These device-based methods can lead to exploits in ways that stronger identity-based approaches, such as biometrics, don’t.
Alongside emerging MFA-resistant attacks, human behavioral risks and internal risk tolerance also have an influence. Shadow IT is expected to grow. By 2027 ‘75% of employees will acquire, modify or create technology outside IT’s visibility.’ Users need tools to do their work without delays or frustrations, otherwise they may look toward unauthorized products and their associated cybersecurity risks.
It also calls for attention to behaviors relating to logins, from humans and entities. That means analyzing the machines being used, the browsers making requests and the locations from which logins are attempted. A non-risky user, working with their usual device, may not need to jump through the same hoops as a new user from an unrecognized IP address.
Then, when any actions appear anomalous or suspicious, or when they deviate too far from the established norm, further authentication requests and potential remediation can start. After all, MFA is essential to operations – but it comes with conditions attached.
Reality: MFA is vital
MFA is vital, but it only works when it’s part of an overall security posture. At enterprise level, this is how IT leaders can respond and maintain a hardened posture when there are thousands of seats to secure and protect.
Of course, the level of protection depends on organizational needs and user preferences.
Reality: Not all MFA is created equal
For authentication, it may be practical to issue office-based workers with hardware keys, whereas mobile workers may be better suited to biometrics for a more flexible login experience. Some environments may not be suitable for phones, removing the possibility to use OTP or push notifications to mitigate login risks. This would be the case if there are user groups who aren’t confident with technology and would prefer a hardware key.
Organizations need to factor in these demands while managing the different requirements for authenticating and authorizing employees.
Authenticate, authorize: Who and what
Authorization overlaps with authentication, with identities verified and authenticated (the ‘who’ that can gain entry), and then the access to relevant resources for which they’ve been authorized (the ‘what’ that can be accessed).
JSON Web Tokens (JWT) can play a central role in limiting the attack surface by securely transmitting encrypted identity and permission information between desired resources. For a relatively newer protocol such as OIDC, successful authentication sees a JWT issued. This can be used in the header of authorization requests and allows users to control how much information to pass on.
For other application types, SAML can fulfill a similar role for larger or more traditional organizations such as government entities. Although, for API-centered architectures and mobile applications, OIDC can be the most suitable option.
When authenticating and authorizing involves partner ecosystems, a trusted identity provider can be added to increase MFA security. —this is known as inbound federation or relying party trust, this OneLogin feature allows users to login with a different identity provider, such as Google, Facebook or Entra ID.
Setting authentication policies and pre-emptive defense
Rather than adopting a rigid, business-wide strategy, organizations can set appropriate rules and policies for factors based on user groups. Any added user can automatically follow what’s been set for the group they’re joining, saving time on manual configurations.
Naturally, IT’s authentication needs will be different from other departments. Imagine DevOps want access to AWS. They need to login to the corporate network, gain access via a VPN and require authentication to business-critical systems. Whereas an HR worker requires access to communication platforms, such as Teams, where attending an online event may not need the same level of authentication.
An enterprise’s many different components call for a similarly granular approach. One that triggers step-up authentication based on risk indicators and uses phishing-resistant factors such as passkeys (WebAuthn) and certificate-based desktop authentication. Logins can be tied to devices rather than passwords or phone numbers with passkeys and biometrics built around a WebAuthn framework and certificate-based desktop methods.
Further hardening comes from implementing identity security before someone enters anything into the username and password fields. Leading approaches use real-time intelligence to identify high-risk traffic, known anonymizing proxies and botnet traffic. Device fingerprinting and behavioral risk scoring can also be used to decide whether a login attempt should be allowed. In some environments, pre-authentication policies allow administrators to block malicious, proxied traffic before it arrives and prompts targeted users to validate their credentials.
Security leaders are increasingly prioritizing these stronger factors. Not just for privileged users, but across the broader workforce. That is when more advanced authentication becomes necessary.
Advanced authentication
Advanced authentication involves user verification methods that are less likely to be stolen, compromised or vulnerable to brute force attacks. A common example would be two or more authentication factors, along with adaptive authentication or passwordless authentication. For authorized users, there’s a more positive experience, without the need to remember or create different passwords for each application they use. In practice, this could involve:
- A user tries to login with either SSO, desktop client or web browser.
- The authentication system analyzes various parameters and risk levels relating to the request, such as device (usual or unrecognized), login time (within regular working hours or not) or network (trusted or unknown).
- Based on a system evaluation, users are prompted to complete authentication steps that reflect the perceived risk. A low-risk action can be completed with a low-friction method such as OTP. Login requests flagged as higher risk can trigger more advanced authentication factors such as biometrics or a security token.
The decisions and actions are driven by machine learning, which can execute actions at scale and at pace. But this doesn’t mean organizations are safe from a breach. If the worst happens and attackers gain access, the goal should be to limit lateral movement as much as possible.
After authentication, lateral movement restriction
Threat actors will find ways around MFA. Limiting movement is key to containing the potential impact and can be done using machine learning to ‘never trust, always verify’ user identities. The result is a reduced attack surface with requests verified continuously. Users benefit from more intuitive logins and are less likely to want to circumvent existing controls.
If there’s a breach, organizations need to have a containment strategy in place that can limit privilege escalation and the impact of account takeover (ATO). If one credential is compromised, that shouldn’t mean a malicious actor can gain full access and move laterally to other applications unrestricted. A multi-layered approach to MFA makes it possible to enforce the Principle of Least Privilege (PoLP) even for users who have been authenticated, but might require further access or validation.
IT leaders must weigh the different demands, balancing security with convenience. They need to develop varied approaches for authenticating and authorizing to factor in different privileges, access windows and individual users’ knowledge and capabilities.
These approaches should match the nature of always-on and cloud-based business, and evolving attackers’ threats. It calls for a new way to evaluate session management, such as by shortening session lifetimes so that attackers have less time to hijack and gain access. Efforts should be made to enforce re-authentication when appropriate, such as for tasks that require elevated permissions, and to maintain visibility of logged-in user behaviors, assessing for anomalies and possible malicious activity.
MFA enforcement plays an essential role. But it’s equally important that MFA be part of a smart, adaptive defense. This way, any potential breach can be contained, lateral movement can be reduced and impact from MFA bypasses can be minimized.
