3 Ways to Combat MFA Hacking for Clients and Create Value-Add Service

It wasn’t too long ago that multi-factor authentication (MFA) was considered the Holy Grail of cybersecurity. More than a few vendors and analysts predicted that MFA would eventually prevent 99 percent of cyber attacks. But here we are. MFA is a standard security tool used by most businesses (and consumers), yet breaches are still happening.

So, what happened? Where did MFA go wrong? And how can managed service providers (MSPs) get the most out of MFA solutions for their clients?

The Promise of MFA and its Shortfalls

The MFA concept was developed decades ago, but really burst onto the scene 10 years ago when enterprise data started to move out of the data center to third-party Software as a Service (SaaS) platforms. With users’ judgement and their ability to keep their credentials to themselves the only thing between malicious actors and your critical business information, it became clear that usernames and passwords were simply not robust enough anymore.

MFA provided a way to ensure users were who they said they were by requiring two points of authentication: the user and a device. The thinking is that it is unlikely that a malicious actor would be able to compromise two separate vector points. They may have a password, but not access to a known device—essentially making it statistically difficult for a bad actor to gain access to an endpoint, network or cloud-based SaaS platform.

However, like most security solutions, MFA only works if it is used 100 percent of the time and is being used appropriately. Unfortunately, MFA can be disruptive to workflows (having to authenticate every time you log in can be tedious), and users found multiple work-arounds to maintain productivity. A popular workaround that continues to be used today is sharing authentication. One egregious example is when an engineering team leverages an iPad on a stool in the middle of the office that everyone uses to authenticate. If you think about it, this is ludicrous. There’s no such thing as a shared identity, and it undermines everything that MFA was intended to resolve.

Imagine if a home security system relied exclusively on a keypad at the front door to let people in. Yes, you can prevent people without the code from entering your home, but you really have no idea who is walking around your living room. Adding a second authentication method, such as a camera, allows you to make sure the person entering has the right credentials (the code) and is who they say they are. You’d never turn off the camera for ease of access purposes. This would completely mitigate the reason you have a security camera in the first place.

Yet, MFA is rife with under- and mis- use—effectively abolishing the protection it is supposed to provide. Couple this with new, sophisticated hacking techniques that malicious actors have developed through the years, and it’s clear that MFA is not living up to the standard industry insiders thought possible 10 years ago.

Managed Service Providers Can Be the Key

MSPs have an opportunity and an obligation to help their customers fix their MFA troubles. After all, it’s in your best interest to make sure your clients are as secure as possible. Not only does it help elevate the level of service you’re providing, breaches are time consuming and expensive to remediate, lowering your margins considerably. Thankfully, there are a few things that MSPs can do to boost the effectiveness of MFA solutions for their clients.

1. Implement MFA code timeouts

A common hacking technique is to bombard users with MFA login requests to point where MFA fatigue sets in and, in a lapse of judgement, the user enters an MFA code into a false web form. Code in hand, the malicious actor can log in and authenticate without a device or app. MSPs can prevent MFA fatigue by implementing code timeouts that cause MFA credentials to expire after 30 seconds, one minute or two minutes depending on policies set by an administrator. This doesn’t completely eliminate MFA fatigue as a technique, but it shortens the strike opportunity dramatically. Hackers would have to act immediately—within seconds in some cases—to gain access, which is very difficult and highly unlikely.

2. Encourage the use of authenticator apps

Another common hacking technique is a man-in-the-middle (MitM) attack where malicious actors redirect MFA codes to their own device rather than the user’s device. This only works when codes are sent via SMS or text message because the device in the user’s possession is not generating the code. However, a third-party authenticator app generates the MFA code directly on the user’s device, making it impossible to redirect the code to another device. Google and Okta are examples of these third-party authenticator apps that you can mandate to your clients.

3. Achieve complete visibility and control over MFA activity

Ensuring compliance requires complete visibility and control over MFA activity as well as the ability to trigger actions that stop the attack or mitigate the damage. MSPs can do this by closely monitoring SaaS platforms and other web applications for suspicious login behavior while maintaining the ability to lock out suspicious users, block data exfiltration or trigger another authentication process. MSPs need to do this perpetually (24 hours a day, 365 days a year), in real time and at scale.

MFA Monitoring is an Opportunity for Value-Added Service

MFA hasn’t lived up to its lofty expectations, but it is still a powerful security tool for keeping data, applications and users safe from unauthorized logins. MSPs have a responsibility to improve the effectiveness of their clients’ MFA solutions while also providing a value-added service. It all comes down to visibility and control over MFA activity. Adding monitoring capabilities from SaaS Alerts can proactively identify and automatically lock out suspicious login behavior and force reauthorization.

Schedule a demo with us to find out how you can easily monitor and enforce your clients’ MFA usage.