Digital identities are vital to an organizations integrity, operations and security. Identities could range from accounts used to access email, file sharing, video or line of business applications like CRMs and ERPs. We won’t get into all the different threats out there but I do wish to share one simple yet very effective strategy to protect your online digital identities. Before we get into it, let’s look at some interesting statistics to gain some perspective.
- 300,000,000 daily fraudulent sign-in attempts
- 81% of breaches are caused by credential theft
- 73% of passwords are duplicates
- By 2020, there will be 200 Billion Internet Connected Devices
- 92% of companies have cloud credentials for sale on the Dark Web
- Average of 12.2 incidents each month related to compromised accounts
Multifactor authentication is a method that verifies a user’s identity by checking something you know and something that you have. For a long time, the standard password has been the primary method of authentication when logging into systems. As we can see from the stats above, passwords are effectively useless but with MFA, having the password to an account is not enough to access it as it helps provide proof that you are whom you say you are when accessing a digital account.
Some examples of MFA include:
- biometrics such as fingerprints and facial recognition
- time-based one-time passcode generated via an app or sent via SMS
- push notifications via an authenticator app
What about changing passwords?
Don’t change them! That’s right, according to NIST changing passwords every two or three months actually causes more harm than good. Think about it, when people need to change their passwords so often how do they keep track of it. More often than not, it ends up being on a sticky note attached to their computer screen leaving it completely exposed.
With MFA enabled on your digital identity, the password is not as relevant anymore. In fact, the next trend in digital identities is moving towards what is known as Passwordless Authentication but we will leave that for another time.
Not the end all be all
While MFA helped to reduce over 70% of cyber attacks in 2018, hackers have found their way around it and still administer attacks that bypass the multiple authentications. A typical example is a sim swapping scheme administered on a particular US banking institution back in 2018. On this attack, the attackers called the sim issuing company of a subscriber and provided the information needed to perform a sim swap. Once they got hold of the sim card, they could bypass the MFA by receiving the SMS codes on the attackers’ device. Additionally, more phishing attacks are now becoming aware of MFA by using a proxy to authenticate the user and capture the one-time code.
Tips for MFA
- Avoid SMS codes – although this is convenient, cellular networks are known to be extremely vulnerable and SMS is the weakest method of MFA that you can use.
- Use Push Notifications instead of codes – codes can be captured using advanced phishing methods. Push notifications provide the added benefit of notifying you if and when someone is trying to access your account.
- Be Mindful – if you receive a notification from your authenticator app that someone is trying to access your account, this could mean your password is already compromised.
As with most things in security, nothing will protect you 100% but a multi-faceted approach is most effective. Combined with MFA for your online accounts, security awareness training is critical. Security experts know that the human element is by far the weakest link in any cyber strategy but with the right amount of education and awareness, your team can become vigilant and perhaps even your greatest defense.
Keep in mind that every organization is different and may need a more involved approach to their strategy but MFA is now becoming universally accepted as the most effective way to prevent data breaches related to compromised credentials. Talk to a cyber security strategist with a cloud focus like Imagis to design the right security and adoption strategy for your team. Be proactive, be aware and be vigilant my friends.