When MFA Is Not Enough – 5 Easy and Essential Steps for Hardening Our Identities

by Katie Bates

by Katie Bates

April 24 Blog

Sitting at the computer, brow furrowed, you try desperately to remember what you told that website your favorite sea animal was when you set up this account five years ago.  Somewhere in the back of your mind, an image emerges of a pair of otters holding hands.  “Otters,” you whisper, and you’re granted access to your account.

Every time you’ve needed to give your mother’s maiden name or try to recall the address of your childhood home to access an account, you’ve used multi-factor authentication (MFA).  MFAs generally require two or more pieces of information that help confirm your identity and may include:

1. Something you know – like your password, your favorite sea animal, or your high school mascot
2. Something you have – like a key, a physical USB security token, or your phone’s authentication app
3. Something you are – like your fingerprint, face, voice, or other biometric

Including verifications from multiple categories makes it harder for someone to fraudulently gain control of your account.  Sounds easy, right?

In practice, however, it gets a little more complicated.  The sheer amount of personal data that can be bought and sold on the web makes it easier than ever for malicious actors to find, for example, your childhood address and breach these “something you know” security measures.  Brute force attacks that are able to rapidly guess randomly generated numbers make it easy to crack any 4-digit code your bank sends via SMS text message.  Artificial intelligence is even making it easier to impersonate someone’s voice to gain access to accounts that require voice-matching MFAs by manipulating publicly available video recordings.  Simply put, this generation of MFA technology isn’t going to protect you against modern hackers.

But, don’t worry.  There’s hope!  In a recent roundtable discussion at the Microsoft Secure conference, leading experts offered five ways to strengthen your security posture when it comes to verifying someone’s identity online.

1. Harden Your Current MFA – Ensure that everyone who uses the system is required to complete multi-factor authentication. Retire weak MFA options like SMS and Voice in favor of passwordless, phising-resistent methods like Windows Hello facial recognition.
2. Conditional Access – Leverage the power of Azure Active Directory (AD) to establish rules that govern access to the environment and restrict access requests coming from unknown or unverified locations, devices, or applications. And even when these conditions are met, require MFA.
3. Privileged Identity Management – Not everyone needs to be an administrator, and even those that do rarely need to be an administrator forever. Privileged Identity Management (PIM) removes vulnerable carte blanche permissions by eliminating privilege-based standing access.  Instead of a one-time credentials token download, PIM would require all security tokens to be scrubbed from the device at the end of the session, ensuring that an unmonitored device cannot be hacked to gain that credential. Roles must be requested and approved by a third party with a business justification before that role is granted for a limited time.  Role- and time-bound access parameters help keep your log-in secure.
4. Azure Active Directory Identity Protection – Enforce risk policies that can guard and automatically block a user for activities such as impossible travel, logging in via Tor Browser, or logging in from a suspicious IP address.
5. Attack Simulation – At the end of the day, your environment is only as secure as the people who use it. By taking an active effort in educating your user base, you can help users understand their role in protecting data and identities; raise security awareness; and instill more conscious and cautious behavior when working with applications.  Phishing attack simulators, like those in Microsoft Defender for Office 365, allow you to send out would-be malicious requests and determine whether your team is responding appropriately.