The FBI reports that in 2021 there were $6.9 billion in losses from cybersecurity attacks. That’s a 64% increase in losses from 2020. Nearly 330,000 of the complaints the FBI received were phishing—by far the top internet crime last year.
We all get recommendations from our banks, insurance companies, online stores, mortgage providers, and other organizations to enable multifactor authentication (MFA), aka two-factor authentication (2FA) or 2-step verification (2SV). We get the same advice in articles about the cyber threats landscape and ways to improve an organization’s cybersecurity posture. And with good reason.
We used to think that passwords were all we needed to secure our online accounts, but criminals have learned to crack the code. A popular method they use to gain access to one of your accounts is by sending phishing emails that lead you to a fake login page; when you enter your username and password, they’ve captured your credentials. Because people often use the same password or slight variations for multiple accounts, the bad actors that now have your credentials can attempt to gain access to your other online accounts.
Password standards have evolved over the years to make them harder to hack, whether through social engineering or password guessing. Remember when our online accounts started making us use a capital letter, a number, a special character, and a character count minimum?
More recently, we’re seeing a change in terms as you often see a passphrase instead of password being requested. The thinking here is that phrases are more complex, harder to hack, and easier to remember. Still, whether by way of phishing email, brute force, malware, credentials purchased on the dark web or good guesswork, criminals are getting through.
To provide a second control beyond your password in proving and securing your online identity, MFA steps in as a double-check in the authentication process. Until we reach a comprehensive passwordless future, it’s vital for organizations to configure MFA for all devices and applications and mandate its use. Doing so can cut off criminals from accessing your accounts and the data and access privileges they contain.
NIST identifies the following three factors as authentication cornerstones:
- Something you know (e.g., a password)
- Something you have (e.g., an ID badge or a cryptographic key)
- Something you are (e.g., a fingerprint or other biometric data)
They then define MFA as using more than one of those factors and that “the strength of authentication systems is largely determined by the number of factors incorporated by the system—the more factors employed, the more robust the authentication system.”
Other business sectors see the value of MFA in securing accounts. With rising attacks, claims, costs and payouts, insurance companies are broaching the topic of security controls to assess an organization’s cybersecurity stance. Underwriters often ask about foundational cybersecurity controls like MFA and DMARC on cyber insurance applications.
Since MFA has been introduced, though, we’re learning that not all MFA solutions are created equal; criminals are figuring out ways to game some MFA methods, usually by phishing exploits. It’s worth checking out this list of phishing-resistant MFA by our friend Roger Grimes. The Cybersecurity & Infrastructure Security Agency (CISA) digs into it here.
A Passwordless Future?
The next iteration in proving online identity and removing the risk of compromised credentials is moving in the direction of eliminating the need for passwords. Because of the security woes with passwords, Apple, Google and Microsoft announced on National Password Day that they will be “expanding support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.” The new sign-in functionality is supposed to be rolled out over the course of the coming year.
Here at dmarcian, we strongly encourage employing MFA to your work and personal online accounts and have built an MFA solution into our DMARC Management Platform. Our MFA security feature allows token-based authentication with an app, such as Authy, Google Authenticator or FIDO Universal Second Factor, which enables physical security keys like Yubikey or Nitrokey.
Let us know if you have any questions about our MFA capabilities. And if you need assistance with your DMARC project, register for a complimentary trial, and we’ll assist you along the way.