In the age of sophisticated phishing attacks and credential harvesting, multi-factor authentication (MFA) is a crucial part of any security program. It is often trivial for attackers to gain access to a user’s credentials through password spraying or phishing campaigns. Even though most organizations educate users regarding phishing threats, a percentage of employees will still likely fall for them, providing their credentials unknowingly to attackers. In an environment of distractions, users will fail to see the ‘external’ banner, the mistyped domains, and the lack of encryption on the web page collecting their credentials – some of the common tell-tale signs of a phishing attack.
You can enforce user lockouts for login pages and put technology in place to block most phishing attempts, but it is very likely that something, or someone, will get through. MFA gives your organization the peace of mind to know that if a user does fall victim to credential theft, a breach to the environment is less likely since an MFA token would be needed for access.
Note, it is not good enough to just lockdown VPN, all external access points into the environment must be protected: VPN, Webmail, Collaboration Tools, etc. Services that allow for multi-factor bypass (like EWS) should be limited or shut off completely. Users should not be allowed ‘exceptions’ to bypass this control.
Keep in mind that MFA is not a magic pill answer to every problem. Sophisticated phishing attacks can trick a user into allowing the attacker into the environment by providing the passcode or acceptance to a push request, but these happen less frequently than other types of attacks. User education about the specifics of what a ‘real’ phishing attack of today looks like will help as well. Without MFA you are not only susceptible to attack, but there could be a hard-to-spot attacker in your internal network environment right now. Depending on the compromised account without MFA, the attacker may have significant access privileges.
What we know is that no security measure is perfect or infallible. The security layers in place – with MFA close to the top of the list (right up there with logging!) – will help to create an environment that will hold up to many of today’s malicious activities.