Go Beyond the Limitations of Multi-Factor Authentication to Protect Your Data
Multi-factor authentication (MFA) was built on the construct of checking your credentials in a way unique to you with something only you know, something only you have and something only you are. On the promise of securing user identities and credentials, MFA gave enterprises the confidence that they wouldn’t appear in the headlines for neglecting secure access management posture like Deloitte. The big four accounting firm was targeted by a cyberattack that resulted in the exfiltration of confidential documents and emails and dragged down by the industry for lack of two-factor authentication.
Enterprises also took the leap on MFA deployments with the hope that it would balance accessibility and security. But with new deployments come user resistance and their attempted workarounds to bypass the seeming complexity of their organization’s security protocols. Users’ frustrations with typing in passwords every time they want to access an application, compounded with the dreaded task of entering another one-time code or producing a physical key during the login process (and all of this without any underlying context of the risk (or lack thereof) involved), usually drive them to disable MFA altogether if given the option.
With identity-related breaches on the rise and MFA solutions becoming more susceptible to compromise, enterprises need to determine the best strategy to ensure secure access and data protection for their environment. Because once legitimate credentials are compromised, so is your data.
What About SSO?
Single Sign-On (SSO) came on the scene with the promise of convenience and security by integrating all authentication into one – taking a user’s login and making it the key to access other services. The benefits were clear: eliminate the need to maintain multiple passwords for different applications, reduce password reset requests, and increase employee productivity.
But as network environments increase in complexity and migrate to the cloud, the use of SSO can get complicated as enterprises deal with different levels of secure access in their environment, not to mention their migration to the cloud. SSO’s promise of convenience and security falls short and usually ends up not doing either one effectively, or sacrifices one for the other.
The Empty Promise of MFA
CISOs and cybersecurity leaders face the challenge of protecting large enterprise networks and critical data without impacting the user experience. And even though MFA adds more layers of protection and can help enterprises with their compliance efforts, adoption is relatively low.
A survey of 273 IT and cybersecurity professionals conducted by Enterprise Strategy Group found that 53% indicated their organizations hadn’t deployed multi-factor authentication technology more extensively because they have yet to determine which IT assets require it. Another study of 500 IT security managers in the US and UK found that only 38% of organizations used MFA, citing that infrastructure complexity and time needed to manage and oversee as the biggest barriers to adoption.
Even with MFA deployed, organizations like Yahoo, who had all three billion of its users’ accounts impacted in August 2013, are finding that MFA is not a “set-it-and-forget-it” solution or a silver bullet. Despite its “best practice” status, MFA can be bypassed in multiple ways and fails to protect against sophisticated phishing schemes like scareware and man-in-the-browser attacks.
Getting Past Your MFA is Easier Than You Think
There have been numerous security breaches in the headlines where MFA, as well as SSO solutions, were compromised. From at least October 2018 through March 2019, Citrix Systems suffered a breach at the hands of the Iranian-linked group IRIDIUM, who used password spraying, a method of exploiting weak passwords, as well as proprietary techniques to bypass MFA authorization for critical applications and services for further unauthorized access to VPN channels and SSO. The group stole over six terabytes of sensitive internal files, including emails and blueprints. Citrix Systems agreed to pay $2.275 million earlier this month to resolve a proposed class-action lawsuit.
In 2012, LinkedIn suffered an attack that impacted over 117 million accounts. A Russian hacker, Yevgeniy Nikulin, allegedly hacked the personal laptop of a LinkedIn engineer and was able to grab the engineer’s username for the LinkedIn corporate VPN, which allowed access to a database of usernames and passwords from the professional-networking site’s servers. Nikulin was caught (ironically) due to his laziness: he reused passwords – and those reused passwords contributed to evidence that he controlled accounts associated with the LinkedIn attack, as well as attacks on Dropbox and Formspring.
The growing trend of circumventing MFA has come to the attention of the Federal Bureau of Investigation (FBI) Cyber Division, which issued a Private Industry Notification (PIN) in September 2019 on the rising threat of attacks that bypass MFA solutions. The advisory highlights the primary attack methods used, including social engineering attacks targeted at users and technical attacks aimed at web code.
While MFA can simplify and strengthen the login process for those in your organization, it has no direct impact on securing your data. Once a user has been authenticated, they have access to everything on your system. The reliance on MFA and centralizing security on a single device can lead to overconfidence that can leave your data susceptible to compromise.
Go Beyond MFA with Atakama
Atakama goes beyond MFA’s limitations with military-grade data protection that doesn’t rely on usernames, passwords, one-time codes, or centralized key management. Using a distributed key management architecture, Atakama encrypts each file with its own unique 256-bit AES key that is split into encrypted pieces that are distributed and saved to devices you control and trust. So even if your MFA solution is compromised and a hacker gains access to your system, your protected files cannot be accessed or exfiltrated without the hacker having both physical and digital access to your trusted devices.
Atakama also extends data protection beyond your device to keep your protected files in sync with major cloud storage services, including Box, Dropbox and Google Drive. And when you need access to a specific file, the rest of your files remain encrypted. Atakama’s file-level encryption keeps your files secure at all times.