Even though Multi-factor Authentication has been part of the data security landscape for about 20 years now, it’s more essential than ever. This is because password-only authentication is weaker than ever. By requiring an extra authentication factor during login, security teams can:
- Eliminate reliance on passwords
- Minimize data breaches
- Meet compliance/regulatory requirements
Conversely, failure to deploy MFA can lead to:
- Data breaches
- Failed audits
- Compliance fines
Any security expert worth their salt would agree that MFA is a worthwhile investment for keeping data secure. But multi-factor authentication based on static rules is no longer enough. Here’s why:
The trouble with Static MFA
Although static-rules MFA is certainly better than no MFA at all, it still has its vulnerabilities. Phishing, for example, is one of the most common ways that hackers attack organizations. In fact, over 90% of breaches in the 2017 Verizon Data Breach Investigations Report (DBIR) involve some sort of phishing.
As you know, “phishing” is when a malicious party uses a fraudulent email to try to entice the recipient to click a link or attachment, which typically installs malware or captures credentials. Static MFA can’t always protect against phishing threats because static rules often involve IP whitelisting. In these cases, all company IP addresses are trusted by default, and MFA is not required for login. The thinking goes, if a login attempt is coming from within company premises, it must not be high risk.
But consider a case where a phishing email contains a link to install malware on an employee laptop. This malware then attempts to access SaaS applications using a brute force attack consisting of repeatedly trying many different passwords. Let’s suppose that eventually it finds the right password. When it does, IP whitelisting will prevent the user from being challenged with MFA, and the malware will be able to access the SaaS applications, and as well as sensitive data residing within the apps.
This is just one example of how Static MFA fails. And as hackers continually evolve their attacks, there is a very real risk that static rules won’t be able to keep up.
How to Harden MFA with Machine Learning
OneLogin’s Adaptive Authentication helps mitigate the weakness of MFA by using machine learning to differentiate low-risk logins from high-risk ones, and prompting users with an MFA response as necessary. High-risk logins include logins from unusual geographic locations, IP addresses, times, and devices. These also include logins from networks commonly used by hackers, such as Tor exit relays , or those listed in AlienVault Open Threat Exchange or Project Honeypot.
When a login is considered high-risk, a user should be prompted with multi-factor authentication on their phone or watch. When the user Accepts the MFA request, their application login should go through. But when a user Denies the MFA request, IT should be notified immediately so they can investigate a potential breach. This is how OneLogin’s MFA works.
Want to learn more? Check out our whitepaper on Risk-based Authentication, and our free on-demand webinar with Forrester: How to Harden your MFA with Machine Learning. In this learning session, OneLogin’s Al Sargent joins Forrester Senior Analyst, Merritt Maxim to dissect the current state of MFA and highlight the role of machine learning to advance the state of corporate security.