How do you “MFA”?
Your question might be, ‘do I need MFA?’ or ‘why do I need MFA’? You may have already made some kind of commitment, perhaps you deployed a free authenticator or maybe you have phishing-resistant security USB keys for a few privileged users.
There are many scenarios, but typically, there are three ways, companies, and organizations, “do MFA” ... Either,
They don’t have MFA.
They have weak MFA.
They have some MFA (i.e., you have it, but it’s not enabled for all users and all systems).
Pro tip: Unfortunately, none of the above provide the full hardened protection today’s threat landscape demands, neither do they leverage the most modern solutions to the toughest cyber challenges, but the good news is, we can help!
.webp)
Identity & Access Management Security Risk Assessment Tool
Whatever your current deployment, can you quantify your current risk?
IDEE worked with the NCSC (National Cyber Security Center - UK) to create the model used in our Identity & Access Management Security Risk Assessment Tool. The model is a comprehensive threat model based on the Centre for Internet Security (CIS) Risk Assessment Method that conforms to and extends upon established risk assessments standards such as ISO/IEC 27005, NIST SP 800-30 and RISK IT.
This tool provides an IAM Security Risk Report based on your existing authentication methods and account management systems and can be tailored to your specific deployment and technology type.
Your report is broken down into four parts, providing a summary for each of the following categories:
Identity Proofing
Authenticator
SF Authentication
Account Management
Take a look at your own scenario to check out how secure your current deployment or technology is. Below, we provide a snapshot for the most common deployment types and then it’s up to you if you want to go deeper, by using the tool to generate your own tailored report specific to your own criteria.
I Don’t Have MFA 2.0
Maybe you’re feeling lucky. Maybe you are just one of the hundreds of thousands of organizations that are struggling to deploy MFA for all users because not everyone has two devices. Either way, without MFA deployed, you are relying just on passwords to authenticate your users and allow them access to your inner systems and networks.
Passwords, especially when used on their own on any system, are a high risk. And remember, zero-trust means the perimeter does not exist, so just because a system is not accessible via the Internet, does not mean it does not need to be protected with MFA 2.0.
Let’s look at this risk scores based upon the Identity & Access Management Security Risk Assessment Report.
.webp)
Identity & Access Management Security Risk Assessment Report
Mechanism
Password
Risk Score
90/100
Vulnerabilities
When a password is stolen, the user has no idea tha the password has been compromised
Strong passwords are still vulnerable to credential stuffing and password spraying
The strongest password can be obtained using on-the-fly phishing
Strong passwords can be harvested using keylogging & screen capture malware
Password managers are still vulnerable to credential stuffing, password spraying and phishing as a master password is still required
A compromise of the password manager provider's server leads to a total compromise of all the user accounts as all the user passwords may be obtained
An attacker can use the address in record (such as an email address) to reset an account password and takeover the account
Assess your own risk, or find out more about how AuthN by IDEE can help…
I Have Weak MFA
Most would argue that any MFA is better than no MFA, but we would say, only just. Weak MFA 1.0 solutions such as PUSH, QR, SMS, and OTP, were arguably only ever designed to combat brute force attacks (i.e. password based attacks only).
This first -generation technology was created at a time when attacks were less complex and much less sophisticated, however things have moved on.
1st Generation MFA 1.0 Prevents
Brute Force
Credential Stuffing
Password Spraying
But this represents less than 20% of the attacks most frequently seen in today’s threat landscape. Furthermore, this type of solution is not loved by users because it's a horrible user experience. We do not now any user who likes using two devices or having multiple steps added to accessing their accounts.
%20(1).webp)
Identity & Access Management Security Risk Assessment Report
This snapshot is based on PUSH MFA 1.0 only. If you are using any of the other 1st generation technologies, your results will vary slightly.
Mechanism
MFA 1.0
Risk Score
86/100
Vulnerabilities
Both strong password and OTP/SMS code can be obtained using on-the-fly phishing
SMS code interception and redirection
Both strong password and OTP can be harvested using keylogging & screen capture malware
Push notification is vulnerable to phishing and adversary-in-the middle attacks (AiTM)
Assess your own risk, or find out more about how AuthN by IDEE can help…
I Have Some MFA
You could be using the world’s most secure and robust authentication technology. You could have triple-hard armed bouncers on the door, but if you left the window wide open, what is the point? In the world of cyber security, you are only ever as secure as your weakest link. There is, therefore, absolutely no point in securing some but not all users and securing some but not all systems. It might slow a criminal down, but it won’t stop them. They look to exploit the gaps wherever they exist.
We know organizations are finding it tough to deploy to all users, but in our world, there are no problems that cannot be overcome, there are only challenges - and we eat them for breakfast!
The reason IDEE exists is to answer the challenges that prevent MFA being accessible to all and deployed to all users, no matter what size the organization or however mature your cyber strategy is. Let us support you on your journey to finding a solution that works for you!
%20(1).webp)
