You wouldn’t use your pet’s name for your password, right? And, of course, you know that using “password123456” is a bad decision.
Now, you can add another bad practice to your list of “no-no’s.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) always maintains a Bad Practices Catalog of “exceptionally risky” IT practices. Recently, Single Factor Authentication (SFA) officially made the shortlist.
In condemning SFA, CISA is warning U.S. corporations, non-profits, and every other business, that failure to use Multi-Factor Authentication (MFA) equates to rolling the dice with your data.
Taking matters one step further, CISA also warns against the “especially egregious” practice of using SFA for devices connected to the internet.
Although CISA issued these warnings in the context of infrastructure and functions critical to the United States, you can be sure that attorneys and insurance companies across every industry also received the message.
Multi-factor authentication is one of the most important aspects of cybersecurity today. Anything less amounts to ignoring the reality of the situation.
The Problem with Passwords
Even though CISA won’t disclose the motivation behind their condemnation of SFA, one of the major factors likely stems from bleak statistics regarding password usage.
For example, even though 92% of people understand that using variations of the same password is a huge risk, 65% do it anyway. To put it another way, most people reuse the same password even knowing it’s a bad idea.
With nearly 200 billion credential stuffing attacks detected in 2020, weak and reused passwords remain a greater danger than ever.
And, although you can use different tactics to improve your password protection, CISA’s warning regarding SFA should make every organization consider using Multi-factor Authentication.
Multi-Factor Authentication Advantage
Sure, using more than just a single password helps stop cyberattacks. But, just how effective is it, exactly?
Well, statistics show that MFA dramatically reduces risk, by blocking up to:
- 100% of automated bots,
- 99% of bulk phishing attempts,
- 66% of targeted attacks.
Not only that, but based on their studies, Microsoft claims that accounts are 99.9% less likely to be compromised when using multi-factor authentication.
That’s the sort of protection that few other cybersecurity strategies can offer.
And, there are global corporations listening to what this data tells them.
Following a 2020 hack that allowed attackers to seize control of high-profile accounts, Twitter now requires two-factor authentication (2FA) security keys for their employees and internal systems.
On top of that, they’ve also rolled out multi-factor authentication support for everyday users, as well.
Still, only 2.3% of active Twitter accounts chose to enable this security feature.
Is it a case of users not knowing the danger? Is it a case of slow adoption? Is it a case of perceived inconvenience?
No matter what the answer is, the danger remains the same.
Multi-Factor Authentication Limits
Multi-factor authentication definitely provides a security edge that’s hard to beat.
However, that doesn’t mean it’s foolproof on its own. Users still need to take precaution and remain aware of the current threats.
Recent headlines serve as evidence.
For instance, a September outage of Microsoft MFA prevented some users from accessing their Microsoft 365 services. Additionally, researchers discovered One-Time Password interception bots stealing passwords from unsuspecting victims.
But the problems don’t end there.
Researchers also detected a new type of attack, known as “Gummy Browsers,” that steals digital fingerprint information from a user.
This could be something like system information or cookies, stolen when a user visits a compromised or malicious website.
Attackers use these digital fingerprints to bypass some authentication systems (Oracle, Inauth, etc.) using digital fingerprints as a means of authentication. Or, they use it to bypass fraud detection for banks and retail sites.
MFA certainly reduces our risk; however, it’s important for you to know that the technology isn’t foolproof.
You must continue to maintain basic security techniques, such as systems monitoring, layered security, and using strong passwords.
Passwordless Authentication is Trending, but not Perfect
So, with all of the problems revolving around passwords, can you ever get rid of them?
Well, there are a lot of solutions that certainly hope to do so, with Microsoft even rolling out passwordless login for all of their accounts.
Instead of the traditional login ID and password combination, Microsoft users can sign in using Windows Hello, the Microsoft Authenticator mobile app, or a verification code sent to a phone or email.
Researchers expect adoption of passwordless login to increase 66% over the next two years, and that the average organization (like yours) could save $1.4 million in costs over conventional authorization.
Unfortunately, as with any other technology, some hiccups remain cause for concern.
For example, Single Sign-On (SSO) technology might save users time, but implementation remains difficult.
While businesses typically only add four applications a month to their SSO services, on average, they also add 15 applications to their business practices – leaving a monthly backlog of 73% of the apps.
SSO certainly has some appeal, but keeping up with the sheer number of programs remains a major hurdle.
Bringing it Together
Although passwordless logins and MFA aren’t perfect, the CISA announcement proclaims Multi-Factor Authentication as the new baseline for competent security.
But, with so many types of MFA available, such as mobile apps, certificates for trusted devices, MAC address white-lists, IP address white lists, SMS texts, email confirmations, and more, things can get confusing.
Not only can it be a frustrating experience to navigate on your own, but adding to the confusion are the costs, which can vary wildly depending on the solution you’re after.
If you ever feel as though technology is confusing or challenging, know that you’re not alone. And, know that there are people out there ready and willing to walk you through the process.
Call Ideal Integrations at 412-349-6680, or fill out the form below, and our authentication experts will help you and your team understand your options, and determine the right fit for you and your needs.