Anyone in the cybersecurity field will tell you that enabling Multi-Factor Authentication is the single most important service to prevent nefarious account take-overs. While this information is true, it is also artificially imputed that with MFA enabled, password security is reduced.  The argument goes that if a nefarious individual gained control of your username and password, it would be useless because MFA would stop them from gaining full access to your services.  Without the MFA (token, biometric, or other) factor, the nefarious actor does not have the keys to the castle. However, are all your castles controlled by MFA?

This is a question I had to pose recently when dealing with a few incidents. We were seeing successful remote logins to systems from foreign countries. The customer did not have a presence nor employees in any of the countries gaining access. After a complete examination, we were told the events, while accurate and true, were irrelevant because the customer’s systems were protected by additional MFA factors. My next question to the partner was, “That’s great news.  MFA has saved the day. For that server; for that instance. Yet, someone still has a validated set of credentials for the user. Are you sure the user has not used those same credentials elsewhere that do not have MFA enabled?”

Ask yourself this, “How many places do you use the same email address and password?” Perhaps your bank?  Netflix?  Amazon?  Doctor’s office portal? We log into many sites each day. Unless you use a password manager (the best proactive measure we can recommend!), it becomes tough to track all those usernames and passwords.  So, I’m willing to bet you re-use your passwords quite a bit therein lies the problem with the belief that MFA prevents breaches. Of those sites where you re-use a password, how many have MFA enabled? Probably a few, which is great, but more often than not, the majority do not as of yet, even at work.

Most breaches and ransomware outbreaks happen after an attacker gains access to an internal system via compromised credentials or systems. Once inside the network, most MFA services are disabled. Or geo-location is used to validate against MFA. It is common for MFA to check your “local” IP address to determine if you are inside the corporate environment. On the compromised internal system, that would check out just fine, and with that, the attacker, using the username/credentials from our above example, can successfully “bypass” MFA and gain full access to the desired systems.

Our recommendation is to not rest on the laurels of MFA. Understand that MFA, while great on the surface, can have huge holes and liabilities built-in for user convenience. Any indication of a user’s email or username being compromised must be met with an immediate password change.

Author

Chris Gebhardt, Vice President of Cybersecurity Operations, StratoZen

Chris Gebhardt is a former Police Lieutenant for the Washington DC Metropolitan Police Department and SWAT Team Leader in Utah.  He is currently Vice President of Cybersecurity Operations for Stratozen, a SOC-as-a-Service provider in Draper.  Chris was exposed to technology early in life growing up in New York.  His career focused on the use of technology and security for government and corporate entities including the FBI, DOJ, BJS, eBay, Jet.com, and numerous private equity firms.  Chris is a dynamic speaker often challenging the widely held beliefs of the cybersecurity community.  He is experienced with SOC 2, SOX, HIPAA, GDPR, ISO, and other compliance frameworks.