Skip to main content
Dark background with blue code overlay
Blog

Adding Multi-Factor Authentication to Employee Logins: A Sound Security Principle

Jim Black

Written by

Jim Black

February 22, 2022

Jim Black is a Sr. Product Marketing Manager at Akamai's Enterprise Security business unit. He has spent his entire career in technology in telecoms, mobile and security and has held roles in manufacturing, customer support, business development, product management, PR and marketing.

Security complexities in 2021

The year 2021 was definitely challenging for security practitioners. The number of data breaches continued to rise; a report issued by the Identity Theft Resource Center stated that the total number of breaches in the first three quarters of 2021 exceeded the total number of events in all of 2020 by 17%. 

There was also a significant uptick in ransomware attacks; this report stated that there was a 48% increase in attacks through September 2021, with nearly 500 million attacks identified. 

A combination of the perpetual security skill shortages, the new security complexities introduced by remote working, and the increased attention by governments on the impacts of cyberattacks has caused businesses to double down on how to improve their defenses.

Early prevention is necessary

When you start to dig into the details of many of the high-profile data breaches and ransomware attacks, it’s often surprising how easily the attackers gained that initial beachhead in an organization’s network — and how simply it could have been prevented.

For example, in the Colonial Pipeline ransomware incident, the attackers gained initial access to Colonial’s network by logging into a virtual private network (VPN) server using credentials that they had likely purchased from one of the numerous websites that resell previously leaked usernames and passwords. 

Even though the account was inactive, it was not protected by multi-factor authentication (MFA), and connecting to the VPN server allowed the attackers to gain that initial foothold, identify targets of interest, and ultimately deploy the ransomware payload.

Multi-factor authentication is a worthy line of defense

One simple but very effective way that the Colonial attackers could have been halted right at the outset is by deploying MFA as another security layer whenever a login attempt was made. 

Indeed, perhaps it’s time we started to work on the principle: It’s not if stolen employee credentials will be used in attacks, but when they will be used in attacks. Considering workforce authentication through that lens makes deploying MFA seem like a no-brainer security approach.

Attackers prove to be determinedly innovative

Any MFA is better than no MFA, but the reality is that attackers are determined — and, not surprisingly, they are now jumping over the MFA barrier.

For example, in the widely reported Twitter attack from 2020, the attackers used social engineering to trick an employee into giving up their username and password via a fake VPN login page. Twitter was using a standard push notification as an authentication factor, and the impersonation attacker was able to cause the push challenge to be sent to the unsuspecting user. 

Because the employee was expecting the MFA challenge to appear on their mobile phone, they went ahead and accepted the request. 

Second factors in MFA solutions

There are numerous second factors that can be used in MFA solutions. As this blog by one of my threat research colleagues highlights, most of the second factors that are currently used can be bypassed. Brian Krebs went one step further in his blog post about SMS as an MFA factor where he asked, “Can We Stop Pretending SMS Is Secure Now?”

So, although any MFA is better than no MFA, when thinking about deploying an MFA solution for the first time or modernizing their current MFA solution, organizations should be looking at solutions that make bypassing MFA extremely hard.

FIDO2 standard

Typically, these MFA solutions will use the FIDO2 standard, which uses cryptography to bind the login attempt to the user’s authentication device. One key aspect of the FIDO2 standard is that the authentication challenge is sent back through the browser agent used to make the original authentication request (unlike a standard push, which sends the challenge out-of-band directly to the mobile device). 

This gives the browser agent the opportunity to add context to the challenge (e.g., from where it was received) before delivering the challenge to the authenticator. This context allows the authenticator to detect, and refuse, challenges with evidence of an impersonation attack. 

One big drawback with many FIDO2-based MFA solutions is that they require the use of a hardware security key to deliver that extra level of security. Not only does that increase the overall cost of the MFA service, but it adds additional complexity and it’s not a great end-user experience. 

Users simply do not like having to carry around yet another piece of hardware, especially one that is so small and can be easily lost or misplaced.

Akamai MFA delivers a frictionless user experience

Akamai MFA delivers all the benefits of FIDO2-based security but eliminates the cost and end-user friction drawbacks. It uses a mobile app to turn a smartphone into a FIDO2 authenticator, eliminating that additional cost and complexity. Most important, because it’s a simple and intuitive app, it delivers a frictionless experience for employees.

Learn more

To find out how Akamai MFA can help you quickly improve security for workforce logins and to sign up for a 60-day trial, visit the Akamai products page.