Using multiple authentication factors creates false security

The two great concerns of users are security and anonymity. Today we are going to focus on the first one, where one of the key elements is having a strong password. In addition, it should be reinforced with multi-factor authentication or MFA. Thus, in the event that our password is hacked, they will not be able to log in because they would need a second step, which is usually to enter a code that we have on our smartphone. However, if this way of working is not well implemented, it can have its flaws. In this article we will see how the use of multiple authentication factors creates a false sense of security.

What is the MFA?

MFA (Multiple Factor Authentication) allows users to protect their online accounts using different authentication methods, such as a password, a PIN that arrives by SMS to the mobile, a temporary one-time code generated by their smartphone and even a USB key. of security. Today any of us in email accounts and in many online sites such as PayPal, Amazon and social networks, we make use of several authentication factors, mainly the username and password to access, and later a second authentication factor that is usually a numerical code generated by our smartphone or a physical USB key.

The incorporation of MFA to all online accounts has been a great advance against attacks, to make it much more complicated for cybercriminals, because they will not only have to violate our service password but also get hold of the second authentication factor that we have configured. Depending on the online account that we are configuring, a good option would be to have a USB key that only we physically have, so that

We are still exposed to attacks on credentials

Despite the adoption of zero trust and Zero Trust networks, many companies are still exposed to credential attacks due to two causes:

  • Insufficient multi-factor authentication (MFA) methods.
  • The lack of urgency after a potential attack or data breach.

In a recently published report, it has been found that more than half of users who have had their accounts hacked they did not improve their authentication controls after the attack. The use of MFA is creating a false sense of security. On the other hand, he says there’s an increased awareness of moving beyond MFA, and the overall benefits of passwordless authentication, as organizations continue to implement their zero-trust programs.

Companies are not protecting themselves well

A highlight of this report has revealed that the 89% of those interviewed declared that they had suffered a Phishing attack in 2021. On the other hand, 34% experienced credential stuffing which is an increase of 17% from the previous year.

Other data related to attacks on small and medium-sized companies were:

  • The increase in attacks on teleworkers, after all, the security of a worker’s home network when they are from home is clearly lower than when they are physically in the company, since they do not have advanced security technologies such as IDS or IPS among other fundamental tools.
  • More than half of the workers say they do not have a password, they use methods such as SMS, which is not at all secure, although a large percentage use a one-time password (One Time Password).

The zero-trust security model and the use of MFA are increasing. However, this does not imply that there are certain reluctance for its implementation. For that reason, they come to traditional MFA with password like this:

  • Half explain that they have had a bad user experience, so they do not like this authentication method.
  • Lack of interoperability with different services and manufacturers, and make it difficult to integrate the system in the company.
  • Enterprise solutions are expensive, and many small businesses can’t afford it.

Therefore, many interviewees viewed using password-enabled MFA as more of a burden than a benefit, creating a greater impact on overall productivity. More than half of those surveyed had been unable to access critical work information because they couldn’t remember a password.

The need to use passwordless methods

As remote work becomes a permanent option, more companies are switching to using passwordless MFA. In this regard, 82% of those interviewed believe in strengthening their authentication security program with the adoption of passwordless MFA.

Compared to using traditional MFA, improved user experience is seen as the second most important factor at 67%. Additionally, 40% of respondents think that using passwordless MFA helps with regulatory compliance.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *