How to bridge the MFA gap – Source: go.theregister.com

Sponsored feature What do flossing and multi-factor authentication (MFA) have in common? Each is highly beneficial, yet far too few people do them consistently. MFA helps protect organizations from credential-based attacks, but according to the Cyber Readiness Institute, only 35% of businesses globally bother with it.

Two of the biggest barriers to consistent MFA deployment are getting the money for it and sourcing the technical expertise to choose the right tool, according to that research.

That resonates with Darren James, senior product manager at Specops Software. He points to a perplexing array of MFA options, many of which co-exist in the enterprise.

“The more MFA you have, the more confused users get,” says James. Bewildered employees might encounter YubiKey authentication for VPN access, Microsoft Authenticator for email, SMS codes and different biometric techniques. Suddenly, what was mean to harden your security becomes a distraction.

When too much is not enough

An improperly implemented MFA system could hinder rather than help, points out James. Fragmented solutions will increase help desk calls from users struggling to remember which authentication method applies to which system. Service agents will be stuck troubleshooting failed authentication attempts across multiple platforms and re-enrolling users in different MFA systems after device changes. These burdens lead to lost productivity from authentication delays.

Multiple MFA systems also increase a company’s attack surface, James warns. Help desk staff navigating multiple authentication systems become more vulnerable to social engineering attacks.

The September 2023 attack on MGM Resorts illustrates this vulnerability. Attackers successfully convinced help desk staff to reset MFA through social engineering, leading to a ransomware attack that cost the company over $100 million in damages.

SIM swapping attacks follow a similar pattern, as attackers persuade mobile carriers to transfer phone numbers to their own devices. They often do this en masse following the theft of store manager account access to carrier systems.

Specops has noted several other forms of attacks on MFA. These include MFA fatigue attacks (aka ‘push bombing’), where attackers flood victims with authentication requests until one hits ‘approve’ of frustration.

Another, session hijacking, exploits vulnerabilities in web session management to take over legitimate user sessions after initial authentication. Reverse proxy phishing kits play a big part in these attacks.

Attackers will also often exploit single sign-on (SSO) systems, gaining access to one account which then grants them access to multiple services through cookie theft or session hijacking. SSO still requires you to log into your device using another mechanism initially. Only then can you use it to log into different online services, James points out, creating an initial security gap.

SSO implementations often sacrifice security to improve the user experience, creating vulnerabilities that contradict zero trust principles, according to James.

“With SSO, a lot of the MFA steps are reduced,” he warns. “After you’ve logged in once with SSO, to keep the user friction as low as possible, it doesn’t prompt you again.” That’s the antithesis of the zero-trust approach that many security experts are proposing today.

How to make MFA better

MFA is still beneficial when you plug some of its implementation holes, James explains. “You’ve got to get MFA right, and it’s no good if it’s only in place in a couple of areas. It’s no good if you’ve got lots of different types of MFA,” he says. “You’ve got to keep it simple for the end user and apply it to everywhere that it’s important.”

Comprehensive coverage requires MFA protection across all critical access points, including not just application access but also initial machine login and machine unlocking, VPN connections, and the Remote Desktop Protocol (RDP). A good MFA solution also includes self-service password reset and account recovery.

MFA implementations should also solve an oft-overlooked problem: identity verification for service desk interactions.

Traditional help desk verification methods are inadequate, warns James. Many use security questions with answers that attackers can find either through social media or public records. They also use voice recognition that someone can defeat using social engineering or AI technology.

Using MFA for authenticating users is table stakes for modern IT service desks, he continues. They should also have dynamic verification methods that change over time, and offer real-time verification through multiple communication channels. Those might include biometric verification through mobile applications, and push notifications to registered devices.

Usability is another factor, he adds. In 2025, even the most non-technical user should be able to navigate MFA properly. That means identical authentication interfaces and workflows across different systems, not just during everyday use, but during enrollment. They should be able to use standardized fallback options when primary authentication fails, and there should be unified help and support resources for authentication issues.

Getting these requirements right will bring business benefits. You can expect user training overhead to drop, along with help desk call volumes. It will also be a boon for security compliance.

How Specops helps

This ideal implementation will be a big ask for many organizations, who are already grappling with multiple MFA solutions developed over time. Specops Software has been solving these challenges with products including Specops Secure Access, an MFA aggregation tool that builds on its Specops Authentication platform.

“Specops Secure Access looks at how organizations should use MFA across not just your initial logins, but also for things like self-service password reset, verifying users when they call the Service Desk, getting BitLocker recovery keys, or logging into web apps,” James says.

Specops Secure Access operates as a platform through which all an organization’s MFA runs. It sanitizes and standardizes the user experience and adds its own functionality to enhance the overall MFA process. Admins like it because it gives them a unified management console for all authentication scenarios, along with consistent policy enforcement across different access types.

That policy-driven approach can adapt to different risk scenarios, explains James, using location-based authentication and network information to add context to user logins. For example, the platform will look at whether you’re on a corporate network or on an external one when trying to authenticate. It will also look at your geographic location, including whether you’re in a country that has been restricted or blocked on the system, to help exclude access requests from places with known threat actors. The software will examine the user’s IP address and evaluate its reputation, and will also check their historical access patterns to see if anything in this session request is unusual.

Specops Secure Access also offers integrated reporting and audit capabilities, along with shared enrollment processes to help reduce the burden on users. It provides MFA access for Windows logons and screen unlocking, along with VPN authentication and support for RDP sessions.

Resetting passwords en masse

Specops Secure Access complements another product, Specops uReset, for large-scale self-service password resets on customer sites.

Specops uReset proved invaluable for the Kalix municipality in Sweden, which suffered a ransomware attack in December 2021. Attackers used weak passwords to infiltrate and shut down all municipal computer systems, affecting critical services from healthcare delivery to payroll processing.

Kalix locked all accounts and told employees to authenticate with Mobile BankID. This is Sweden’s electronic ID system, universally adopted across the country. Kalix adopted uReset to reset 2,000 passwords through its self-service portal, enabling the organization to restore operations quickly after the incident. It also helped to reduce the burden on the help desk during recovery.

Using Mobile BankID as a form of MFA stopped attackers from taking advantage of the mass reset process. Integration with Active Directory, which was able to store the personal identity numbers used in the government ID system, enabled Kalix to achieve fast organization-wide coverage.

Specops Secure Access can even get their BitLocker keys back with it. These are the three points where Active Directory passwords are typically used.

One of the platform’s most innovative features is MFA fatigue protection. This addresses the ‘push bombing’ attack, where attackers badger victims with MFA authentication requests until they give in.

Specops Secure Access fights this cybercriminal pestering by limiting the rate of authentication requests to prevent flooding. It flags unusual authentication request volumes, eventually blocking repeated requests. It also integrates with security monitoring systems for threat detection.

The software, which warns users to be aware of suspicious authentication patterns, also supports authentication methods that are more resistant to fatigue attacks. These include one-time passcode (OTP) applications that require user initiation, and hardware tokens that cannot be remotely triggered.

Active Directory integration

Specops Secure Access integrates with Active Directory, which James says is important given the access management system’s long history and vast market support. Its multiple domain controllers offer redundancy and scalability for Specops Secure Access implementations, he explains. “Active Directory is scalable, it works well, and it’s solid.”

The integration also enables Specops customers to use established user and group management processes, along with existing authentication and authorization policies. That gives them consistency with current IT operations and procedures, James adds.

Moving to MFA might be a big lift for some, but that’s no excuse to skimp, warns James. He advocates for simplicity, standardization, and a ubiquitous system that addresses all access points, not just web applications.

However, he acknowledges that it’s unrealistic for business to start from scratch with MFA and exclude solutions they might already be using. To that end, a platform-based approach that normalizes the underlying complexity is a positive move toward protecting users properly.

Sponsored by Specops Software.