Latest Microsoft MFA Advice Is Not Enough To Protect Organisations

The effectiveness of MFA solutions continues to be a big debate, following the news of Microsoft urging users to abandon telephone-based multi-factor authentication (MFA) solutions in favour of newer MFA technologies, it poses the question – what more can organisations be doing?

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Alex Willis
Alex Willis , VP Global Sales Engineering
InfoSec Expert
November 23, 2020 1:52 pm

Multifactor authentication (MFA) provides an extra layer of security, it does so by adding an extra step in the authentication process and must be implemented in a way that provides meaningful increase in security without causing an impact on productivity and positive user experience. One of the most common method of MFA is SMS text messages. The problem is that SMS is not a secure or reliable method of delivery. So while adding an additional step in the authentication process, it’s not actually increasing security in a meaningful way to justify the inconvenience perceived by the user – SMS hijacking is a common issue and there is no guarantee that an SMS message is even delivered. It’s recommended to use an application based, encrypted delivery of MFA tokens.

Even with a secure and reliable implementation of multi-factor authentication (MFA), you’re still limiting your security of application and data access to an event. Meaningful and productive security requires Continuous and Contextual Authentication for securing sessions post logins. MFA alone cannot address security issues like insider risks and session hijacks, and the MFA device itself could also be compromised.

Continuous Authentication leverages passive biometrics and other usage-based patterns to continuously verify user identity in an unobtrusive fashion. For example, the level of security would change depending whether the user is requesting VPN access from a hotel (high risk) or their usual home office (lower risk). A malicious user is automatically blocked from accessing apps when they exhibit anomalous behaviour, regardless of a successful authentication event. This enhances the security posture and at the same time, improves the end user experience over having a static timeout.

Last edited 1 year ago by Alex Willis
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x