GRC Viewpoint

Four Ways Your Approach to Multi-Factor Authentication May Be Hurting Your Zero-Trust Security Strategy.

For organizations looking to implement a zero-trust security strategy, there are several principles and technologies to consider for it to be successful. Among them is utilizing multi-factor authentication (MFA) to improve security and mitigate risks across an organization’s workforce. When used effectively, MFA can significantly bolster security for users and their accounts. Conversely, when MFA is poorly implemented, it can negatively impact the effectiveness of your zero-trust strategy.

Unfortunately, there are many instances when MFA is deployed selectively and in a by-passable manner. A 2022 Global Small Business MFA Study by the Cyber Readiness Institute showed only 46% of responding small businesses had implemented MFA and 28% required the use of MFA. When adopting a zero-trust security strategy, such MFA practices can interfere with achieving your objectives around governance, risk, and compliance.

So, what can be done? In this article, we’ll explore four reasons why your MFA solutions may succumb to credential-based risks. And we’ll uncover why your approach to protecting your workforce with MFA may be falling short and potentially harmful to the zero-trust security strategy that your company leadership believes in.

1. Exceptions are allowed. It seems that every IT organization in the world has a CIO exception process and a risk assessment program that focuses on “what” is most valuable and “who” is most vulnerable. Far too often, organizations resign that they “cannot boil the ocean” when it comes to security risks, so they prioritize a selective set of high-risk roles or high-value individuals. A high-risk role may be someone who has administrative access to sensitive customer data or company secrets. A high-value role may be someone who has the authority to approve invoices and issue payments.

This may sound practical but cuts too many corners. Threat actors do not care about these parameters or priorities. They know these practices create an opportunity to target your workforce and extended user groups through social engineering techniques. Moreover, the primary principle of zero-trust is to never trust and always verify in the context of “who” is making a request for information. This means everyone, irrespective of that user role as a workplace employee, contractor, vendor, or partner. There should be no exceptions because everyone is at risk, always.

2. Bypasses are allowed. There is something about password fatigue and the ceremony of logon that seems to conflict with some end users. However, MFA is meant to verify the correct person is requesting access from wherever they’re working from (remote, hybrid, home office, traveling), whatever method of network access they’re using (Wi-Fi, Ethernet, VPN, cellular) and from the appropriate devices that belong to them and should be in their possession (laptop, mobile, tablet). Any type of step-down, suppression, or bypassing of verification for convenience or exception is no longer MFA and strikes out the primary principle of zero-trust.

3. MFA accounts are shared. Administrators wield great power and responsibility. Unfortunately, in a password-reliant world, shared accounts and service accounts are responsible for a high-risk scenario referred to as standing privileges. These are super credentials with more than one administrative user. They persist with a variety of powerful entitlements to manage cloud and on-premises infrastructure, monitor mission critical resources, access sensitive, private and regulated data, and enforce company-wide security standards and policies.

The concept of adding MFA to these shared account sounds like a great idea, right? Not if you want to pass a regulatory audit or maintain a cybersecurity insurance policy. Not only do you need to stop allowing standing privilege access via shared accounts and shift to just-in-time (JIT) privilege access for administrative level tasks, but you should couple it with MFA so that every administrator must verify that they requested JIT access. Another tenet of zero-trust is the principle of least privilege (POLP), which limits not only what rights are granted, but also reduces the chances of permissions creep when shared accounts or super credentials are eliminated.

4. Phishable MFA is used. Noted security expert Roger Grimes at KnowBe4 has a strong perspective on phishable MFA. He writes, “This might go down as one of the biggest disconnects in cybersecurity history. Everyone should use multi-factor authentication. Everyone! The problem is that so much of MFA is barely better than passwords and just as easy to compromise.” Grimes is not the only one who recognizes this. An executive order from the U.S. federal government mandates that “Agencies must require their users to use a phishing-resistant method to access agency-hosted accounts. For routine self-service access by agency staff, contractors, and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.”

Fortunately, there are phishing-resistant alternatives in the marketplace that take advantage of modern, open identity standards such as the W3C Web Authentication standard and FIDO 2.0 as well as commercially available biometric and hardware token-based solutions.

There is much to gain from implementing a zero-trust security strategy and taking an identity-first approach. But to achieve the benefits, you must avoid these common pitfalls to maximize MFA capabilities and fortify your zero-trust approach to security.

By Carla Roncato, Vice President of Identity at WatchGuard Technologies

Related Articles

Latest Articles