How do you “MFA”? 

Your question might be, ‘do I need MFA?’ or ‘why do I need MFA’? You may have already made some kind of commitment, perhaps you deployed a free authenticator or maybe you have phishing-resistant security USB keys for a few privileged users.

There are many scenarios, but typically, there are three ways, companies, and organizations, “do MFA” ... Either, 

  • They don’t have MFA.

  • They have weak MFA.

  • They have some MFA (i.e., you have it, but it’s not enabled for all users and all systems). 

Which one are you?

Pro tip: Unfortunately, none of the above provide the full hardened protection today’s threat landscape demands, neither do they leverage the most modern solutions to the toughest cyber challenges, but the good news is, we can help!

Person holding a speech bubble that says ‘How do you MFA?’ with icons representing multi-factor authentication (MFA), including fingerprint, face recognition, and security lock.
IDEE Identity & Access Management Security Risk Assessment Report, showcasing risk assessment and authentication methods.

Identity & Access Management Security Risk Assessment Tool

Whatever your current deployment, can you quantify your current risk? 

IDEE worked with the NCSC (National Cyber Security Center - UK) to create the model used in our Identity & Access Management Security Risk Assessment Tool. The model is a comprehensive threat model based on the Centre for Internet Security (CIS) Risk Assessment Method that conforms to and extends upon established risk assessments standards such as ISO/IEC 27005, NIST SP 800-30 and RISK IT. 

This tool provides an IAM Security Risk Report based on your existing authentication methods and account management systems and can be tailored to your specific deployment and technology type. 

Your report is broken down into four parts, providing a summary for each of the following categories:

  • Identity Proofing

  • Authenticator

  • SF Authentication

  • Account Management 

Take a look at your own scenario to check out how secure your current deployment or technology is. Below, we provide a snapshot for the most common deployment types and then it’s up to you if you want to go deeper, by using the tool to generate your own tailored report specific to your own criteria. 

I Don’t Have MFA 2.0 

I RELY ONLY ON PASSWORDS FOR AUTHENTICATION

Maybe you’re feeling lucky. Maybe you are just one of the hundreds of thousands of organizations that are struggling to deploy MFA for all users because not everyone has two devices. Either way, without MFA deployed, you are relying just on passwords to authenticate your users and allow them access to your inner systems and networks. 

Passwords, especially when used on their own on any system, are a high risk. And remember, zero-trust means the perimeter does not exist, so just because a system is not accessible via the Internet, does not mean it does not need to be protected with MFA 2.0.

Let’s look at this risk scores based upon the Identity & Access Management Security Risk Assessment Report.

Person scratching their head, appearing confused or uncertain, representing questions around cybersecurity or multi-factor authentication (MFA).

Identity & Access Management Security Risk Assessment Report

REPORT BASED ON PASSWORDS ONLY - Snippet preview
Risk Calculator Report Overview with a Score of 90 out of 100

Mechanism

Password

Risk Score

90/100

Vulnerabilities

  • When a password is stolen, the user has no idea tha the password has been compromised

  • Strong passwords are still vulnerable to credential stuffing and password spraying

  • The strongest password can be obtained using on-the-fly phishing

  • Strong passwords  can be harvested using keylogging & screen capture malware

  • Password managers are still vulnerable to credential stuffing, password spraying and phishing as a master password is still required

  • A compromise of the password manager provider's server leads to a total compromise of all the user accounts as all the user passwords may be obtained

  • An attacker can use the address in record (such as an email address) to reset an account password and takeover the account

Assess your own risk, or find out more about how AuthN by IDEE can help…

I Have Weak MFA 

1ST GENERATION: PUSH, QR, SMS, OTP (One-time-passcode)  

Most would argue that any MFA is better than no MFA, but we would say, only just. Weak MFA 1.0 solutions such as PUSH, QR, SMS, and OTP, were arguably only ever designed to combat brute force attacks (i.e. password based attacks only). 

This first -generation technology was created at a time when attacks were less complex and much less sophisticated, however things have moved on. 

1st Generation MFA 1.0 Prevents 

  • Brute Force

  • Credential Stuffing

  • Password Spraying

But this represents less than 20% of the attacks most frequently seen in today’s threat landscape. Furthermore, this type of solution is not loved by users because it's a horrible user experience.  We do not now any user who likes using two devices or having multiple steps added to accessing their accounts. 

Person straining to lift a heavy weight, symbolizing having weak MFA.

Identity & Access Management Security Risk Assessment Report

REPORT BASED ON 1ST GENERATION MFA 1.0 - Snippet preview

This snapshot is based on PUSH MFA 1.0 only. If you are using any of the other 1st generation technologies, your results will vary slightly. 
Risk Calculator Report Overview with a Score of 86 out of 100

Mechanism

MFA 1.0

Risk Score

86/100

Vulnerabilities

  • Both strong password and OTP/SMS code can be obtained using on-the-fly phishing

  • SMS code interception and redirection

  • Both strong password and OTP can be harvested using keylogging & screen capture malware

  • Push notification is vulnerable to phishing and adversary-in-the middle attacks (AiTM) 

Assess your own risk, or find out more about how AuthN by IDEE can help…

I Have Some MFA 

I have MFA but it’s not deployed to all users and all systems

You could be using the world’s most secure and robust authentication technology. You could have triple-hard armed bouncers on the door, but if you left the window wide open, what is the point? In the world of cyber security, you are only ever as secure as your weakest link. There is, therefore, absolutely no point in securing some but not all users and securing some but not all systems. It might slow a criminal down, but it won’t stop them. They look to exploit the gaps wherever they exist. 

We know organizations are finding it tough to deploy to all users, but in our world, there are no problems that cannot be overcome, there are only challenges - and we eat them for breakfast! 

The reason IDEE exists is to answer the challenges that prevent MFA being accessible to all and deployed to all users, no matter what size the organization or however mature your cyber strategy is. Let us support you on your journey to finding a solution that works for you! 

We protect everything and every user
Person in a yellow sweater making a small gesture with their fingers, indicating something minimal or insufficient, representing ineffective or outdated security measures.
AuthN by IDEE Deployment Architecture and Use Cases diagram, showing integration with on-premise and cloud directories, user provisioning, access methods, and supported devices for secure authentication and identity management.

Assess your own risk, or find out more about how AuthN by IDEE can help…