Why ‘Enable MFA’ is Lousy Advice

This year’s Cybersecurity Awareness Month Theme – “See Yourself in Cyber” – offers four actionable things you can do to combat cyber threats. The first on the list is to “enable multi-factor authentication (MFA)” – but we think that’s lousy advice. It’s a bold stance, but hear us out.

MFA has been around for years and yet, it continues to struggle with adoption rates even as big brands lobby for stronger authentication mechanisms. In its inaugural Cyber Signals report, Microsoft uncovered that a mere 22% of Azure Active Directory had strong authentication. That’s a paltry number given the context.

Enabling MFA should be a no-brainer since it’s the simplest solution to block brute-force attacks and email phishing attempts. But still, end users consider the extra steps of receiving a text message or email with a one-time password too cumbersome. In the old world this might have been the leading concern, but now it’s much broader if you want to enable and win with MFA as adversaries favor a new attack – MFA Fatigue.

Understanding and Planning for MFA Fatigue

Whether or not you currently have a MFA solution in place, it is critical to understand MFA Fatigue attacks to either:

1. Plan for protections against the tactic
2. Use it as a consideration when evaluating MFA vendors

What is an MFA Fatigue attack? This attack is defined as when a threat actor runs a script that attempts to log in with stolen credentials repeatedly, causing a barrage of MFA push requests to the account’s owner’s backup verification method.

The goal is to continue doing this, day and night, as a way to break down the target’s cybersecurity posture – creating “fatigue” of the MFA prompts. When this happens, the target is likely to accidentally click on the “Approve” button or accept the MFA request to stop the deluge of notifications.

Recommendations for mitigating Fatigue attacks

• Remove simple approvals and instead use round-trip information such as entering a number which is displayed on the screen
• Set thresholds and triggering alarms to your SOC if events exceed a preset threshold
• Educate users on what to do if they are exposed to this attack

Getting to the Root of the MFA Problem

Despite Fatigue attacks and end-user resistance, MFA is still a top recommendation from CISA. But the advice needs to be more nuanced than that if you want your organization protected. The advice should be – enabling MFA that isn’t easily phishable. You see, Fatigue attacks can’t happen unless adversaries have the user’s credentials already. And, they often get credentials from phishing. This is an extremely important consideration.

Going with the recommendation of “enabling MFA” is only effective for a short period of time as hackers quickly account for the increased use of the tool and use bots and automated programs to bypass MFA.

The Real Actions to Take Today

Instead of the broad-strokes recommendations, we’ve broken down exactly what “Enable MFA” should mean to you based on your current situation:

• I already have an MFA solution that is susceptible to phishing
Contact your MFA vendor and ask them to implement features that protect from phishing. In the meantime, consider putting more efforts into security awareness.

• I do not have any MFA enabled
Most vendors are easily phishable and should not be used if possible. When evaluating solutions, ask the vendor to explain why or why not their solution would be easily phishable.

• I can’t afford an MFA solution
Even though CISA recommends MFA, it’s not feasible for everyone for a variety of reasons. In this case, be sure your users are required to use strong passwords that are 12-characters or longer of fully random characters or 20-characters or longer if they are self-made.

Too many organizations have implemented MFA solutions for one reason or another, but have still been breached and feel cheated by the perceived protection. That’s why Cadre works with customers to dig into the details and recommend technologies fit for today and years ahead, as well as training and assessments that will keep the bad out.

For more recommendations on MFA and other “must-knows” this Cybersecurity Awareness Month, be sure to read our latest blog: 4 Things a Data-Driven Defense Evangelist Wants You to Know.