Multi-factor authentication (MFA) should be implemented anywhere sensitive systems or data needs to be protected. This is one of the most common pieces of advice we give to companies, especially when it comes to email. In fact, it’s a commonly recommended best practice, but not all companies have acted on the advice and the attackers have been taking advantage of this security gap.
What is multi-factor authentication? The practice of taking additional steps to verify someone’s identity. A username is a single factor of authentication, the password is the second.
A common type of multi-factor authentication is the One-Time Password (OTP), an algorithmically generated, time sensitive code delivered via an app on a person’s smartphone, through a physical key fob, or even through a phone call or an email message. That’s username + password + code = three factors. Text messages or SMS with codes had been a popular third factor, but they’ve been fading in popularity in light of the security concerns highlighted in the latest draft of NIST’s Digital Identity Guidelines (Publication 800-63B if you’d like to read up on it). Other examples of additional factors of authentication include biometrics (fingerprints or facial recognition), Radio Frequency Identification (RFID or “proxcard”), and smart cards.
Multi-factor authentication can be applied to almost any authentication scenario. At a minimum it should be applied whenever a user is logging into a system containing sensitive information that is externally reachable from the internet – especially your webmail system. From inside the network it should be used to defend against inappropriate access to administrative privileges and sensitive information such as personally identifiable information, personal health information, payment information, and any other data or assets critical to your business.
Email is a central repository of sensitive information and a generally trusted tool for communication. But it doesn’t always get the security treatment that databases and accounting systems do. Consider the risk. If someone else gains control of your email, they have immediate, searchable access to all of your sent emails, drafts, inbox, address book, and appointments. What sensitive information might be lurking in your email? Strategic company plans? Customer information? Private financial figures? Embarrassing exchanges? Invoices?
With access to your email account, attackers have access to your own written words, and with a simple copy and paste can impersonate you and send plausible emails to anyone in your address book. The most common scenario, which we have seen many times, is when attackers have initiated and/or approved large wire-transfers to illicit accounts. Did the CFO really send an email directing that payment of an attached invoice? The email address checks out, so it must be the CFO, right? Even if you sent a reply asking to confirm the legitimacy of the payment request, an attacker can intercept all of these responses or send further confirmation emails from the compromised account thanks to the ability to filter mail in real time.
Without an MFA solution, this scenario is one unfortunate click away from reality. Billions of people’s usernames, passwords, and password hashes have been stolen with many of them posted on the internet. Given the availability of affordable, powerful hardware, dedicated attackers can crack password hashes with specialized software that rapidly attempts millions of passwords per second to find a password. Of course, attackers have learned that they can save a good deal of time and money by simply asking for credentials, and with great success. Attackers are increasingly targeting users of known webmail systems with simple business-like phishing emails asking the recipient to click on a link and enter login credentials view a “secure document.” These attacks are proving an easy way for attackers to get active credentials from many users and companies because the victims simply type them into a normal looking webpage and click the submit button. All the attacker has to do is log in and start searching. Phishing attacks like this happen thousands of times a day, but are easily prevented if MFA is enabled.
Why don’t companies implement MFA on email? Reasons include inconvenience of access, concerns about getting locked out of systems, and lacking resources and time to implement. These issues, however, are minimal when weighed against the cost, inconvenience, and effort that goes into addressing a breach.
To be clear, multi-factor authentication is not a silver bullet. For example, if the “key” used by the algorithm is compromised, or if the app, phone or key fob is compromised, the protection provided is undone. When it comes to biometrics, there’s a host of similar issues to be explored related to how we prevent our fingerprints or faces from being used against us. Still, all of these added layers provide greater security than relying on a password alone and the implementation of MFA should be moved to the top of every company’s technology must-do list.