Protecting Your users with MFA

As global cybersecurity risks abound, multi-factor authentication (MFA) is one of the most effective ways to protect access and prevent breaches. While MFA has gained momentum over the past two years, it’s still not in widespread use. Why? For MFA adoption to really take off, organisations need to understand the real value of MFA and how to effectively implement it.

The Tech Giants Trying to Make MFA Mainstream

Outside of work, most people ignore the option of two-factor authentication (2FA) or are reluctant to enroll in 2FA for a few common reasons: misplaced confidence in passwords, frustration or confusion about setup or pure laziness. Less than 10% of Google accounts have two-factor authentication enabled, and only about 12% of Americans use password managers.

This has driven many tech giants to make MFA mandatory: Salesforce now requires MFA, Google is making 2FA compulsory for all users and Amazon.com Inc.’s Ring made 2FA mandatory in 2020.

Why Are Organisations Slow to Adopt MFA?

Unfortunately, the same attitude exists in the workplace, with enterprise MFA adoption still low.

Organisations often believe common MFA myths, seeing MFA as a tool only for:

• The largest organisations, or

• The most privileged of accounts: Windows admin accounts, Active Directory service accounts and anything that has rule over a major part of the network environment.

Yet, MFA is equally important for both small and large organisations. No matter the size of your organisation, your data is equally sensitive and should be equally well protected.

Whether or not MFA should be only for the most privileged accounts merits a closer look.

To Raise MFA Adoption Rates, Take a Fresh Look at Security

Let’s start with a look at the security approach behind the idea of “privileged accounts.” Securing the login is the first step to making privileged access management (PAM) work. Each organisation has a different balance, but you’ll reduce risks by extending security down the “non-privileged” path as possible.

In the old-school, perimeter-based security approach, we didn’t talk as much about the security of the “average” user account. However, the focus has changed thanks to the en-masse shift to remote work and many organisations’ rapid transition to a hybrid environment spanning both the corporate network and the cloud.

The Principle of Least Privilege Is More Relevant Than Ever

The principle of least privilege – the practice of limiting user access to only sets of data, applications and systems that they absolutely need – has been around for years (Microsoft wrote about it in 1999). Because the threats of attack today are even greater, least privilege is more pertinent than ever to an organisation's security strategy:

• External attacks leverage user accounts to gain control over endpoints, move laterally within the network and, ultimately, acquire targeted access to valuable data.

• Insiders leverage their own granted access or other compromised accounts to leverage data and applications for malicious purposes.

See, least privilege isn’t actually about privilege. It’s about the compromised use of a “privileged” account. So, one of the key aspects of a least privilege strategy is to monitor the use of privileged accounts.

The Key: Monitoring All Account Access

Privileged access management (PAM) is viable for monitoring truly privileged accounts, like Active Directory administrator accounts. Yet, it doesn’t serve the purpose of monitoring activity for every user in the organisation.

One pivotal point of access provides organisations with crystal clear indicators that an account is either being properly used or has been compromised: the logon.

Apply MFA to All Accounts

For the modern organisation, the real value of MFA is in protecting any account with access to critical data, applications and systems. Since every user has attributed access rights and privileges, all users are some sort of privileged user.

Tips for Deploying MFA

Preparation is key! Applying MFA to all users demands more planning than if you apply MFA to only privileged accounts. Whatever the size of your company, here are the 6 key points before you deploy MFA:

• Securing logins significantly improves your security stance

• MFA is not just for privileged users

• MFA doesn’t have to be frustrating for IT departments

• MFA must balance user security and user productivity

• Educate and empower your users to support MFA

• Management commitment and buy-in are key

Unleash the True Value of MFA

Truly increasing MFA adoption requires a more fundamental shift in the organisation’s security posture. The more organisations understand the value of applying principles of least privilege and privileged account management to all accounts, the more they will understand the advantage of securing logins across all users. Organisations will put more effort into finding a balance between employee productivity and security. When they do, get ready to see the demand for granular, customisable MFA explode.