Micro Focus is now part of OpenText. Learn more >

You are here

You are here

The state of MFA: 4 trends that portend the end of the solo password

Rob Lemos Writer and analyst

In 2020, the world saw employees move en masse to remote work, forcing companies to increasingly rely on accessing business services and data through the public cloud. The shift vaulted credentials—traditionally, a username and password—to the top of attackers' focus. 

The result is that 2021 may be the year that multi-factor authentication becomes the norm.

Adding a second factor is a game-changer. Even one of the weakest forms of two-factor authentication—two-step verification through SMS text messages—can stop 100% of all automated attacks, 96% of bulk phishing attacks, and three-quarters of targeted attacks, according to Google.

Most companies have started to deploy multi-factor authentication, but only some applications and users are currently protected using the technology, said Sean Ryan, senior analyst on security and risk team for Forrester Research, a business intelligence firm.

"Adopting multi-factor makes logical sense, and you would think we would already be there," he said. But barriers include costs, the need for resources and skills, and "just maybe a fear that this could cause problems with access. People do not want to be slowed down."

Despite roadblocks, here are five trends showing that the adoption of multi-factor authentication will continue to expand.

1. Remote work makes the issue more critical

Following the mass movement to remote work in 2020, companies are expected to continue to allow employees to work outside of the office for the foreseeable future. More than half of companies currently have remote-work arrangements in place, and 80% expect to establish remote work as the normal way of working by the end of the pandemic, according to a PricewaterhouseCoopers global survey published in September. 

Most of those companies will no longer require employees to go into the office.

Because the use of cloud services and infrastructure increases with the number of remote workers, companies must increasingly rely on authentication. If the only authentication is a password, then the company is not protected against the numerous credential-stuffing attacks—where bad actors try stolen usernames and passwords against online services—currently in use by attackers.

This is a common theme brought up in conversations with CISOs, said Dave Lewis, global advisory CISO for Cisco's Duo Security.

"The vast majority are moving toward multi-factor authentication and stepping away from static passwords, and trying to do it for the entire enterprise."
Dave Lewis

He said only a small subset of MFA was reduced to doing it for a single application, as they "are struggling to get buy-in from upper management."

Forrester estimates that 70% of companies are still password-centric. However, a survey conducted by security firm Thales found that 95% of companies in the Americas had implemented multi-factor authentication to protect some resources. In its own survey in 2019, Microsoft found that 85% of executives expected to have adopted or expanded their use of multi-factor authentication by the end of 2020.

2. MFA stops breaches

Multi-factor authentication is arguably the most important step that companies can take to defend against online attacks. Using a second factor can block 99.9% of all attacks, Microsoft said in an analysis of attacker tactics.

Companies relying on passwords to secure sensitive data and access to services are much more likely to suffer a breach. The average company has nearly a million credential-stuffing attempts every year, according to Verizon's 2020 Data Breach Investigations Report.

In most attack scenarios today, attackers already use tactics that make the password a minor concern, the Microsoft analysis said—if it's any concern at all. Attackers collect credentials from breaches to use against business accounts, and users' habit of reusing passwords means that often the attacker already has the password.

In other cases—phishing and malware-based keylogging—the attacker is able to fool the user, or the user's system, into giving up the password. Microsoft, which sees hundreds of millions of password-based attacks targeting its Azure customers every day, found that the complexity and length of passwords does not matter.

The only time that a strong password prevents an attack is when the attacker targets a single account and guesses a massive number of passwords, known as a brute-force attack, or when the attacker uses a limited number of common passwords and tries them against a large number of accounts, known as password spraying.

For all these reasons, focusing on password rules—rather than on things that can really help such as multi-factor authentication or great threat detection—"is just a distraction," Alex Weinert, partner director of identity security at Microsoft, said in the company's report. 

3. SMS is not going away

Not all multi-factor authentication is created equal, however. Authentication that relies on sending one-time passwords through SMS continues to be popular, but it has known weaknesses.

One popular attack vector is that bad actors can gain access to SMS messages by fooling a carrier's customer service representative into believing that a phone has been lost and requesting that the user's account be associated with a new device.

The attack is worrisome enough that the National Institute of Standards and Technology called for SMS to be deprecated as a method of authentication, and Microsoft has urged that companies move away from multi-factor authentication that relies on SMS and voice calls.

While SMS is slowly becoming less common, it will likely never go away completely, said Forrester's Ryan.

"I would love to say that this is the year that we put it to bed and get away from SMS one-time passwords. But we are still stuck with passwords, right?"
Sean Ryan

Ryan noted that technology tends have a long tail of use.

"We are moving more quickly, especially because of the pandemic and sending everyone to a work-from-home scenario. That's really put more of a spotlight on the need to have authentication that is stronger and with a better user experience."
—Sean Ryan

4. WebAuthn can help developers

In early 2019, Web Authentication, or WebAuthn, became an official World Wide Web Consortium (W3C) standard. The specification allows any service—a bank, email provider, or online game—to request an authentication token that the authenticator—your mobile app, hardware token, or facial recognition—can provide.

By separating the authentication step from service access, the WebAuthn standard gives users access to a broad range of potential authenticators, most of which do not require passwords. WebAuthn is currently supported in Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari web browsers, as well as Windows 10 and Android platforms.

Yet WebAuthn remains in the early stages of adoption, said Forrester's Ryan.

"The technology needs to be adopted across different websites. There is still some waiting for that to gain critical mass, but that will definitely make things easier."
—Sean Ryan

Focus on privileged users first

Companies should develop threat models to determine which users will likely to be most targeted by attackers.

In many targeted attacks, for example, attackers will spend a great deal of effort bypassing any authentication technology—and no technology is a perfect defense. SMS-based authentication can be circumvented by surreptitious monitoring and attacks that clone the SIM card of the target's device. Users of application-based two-factor authentication may be vulnerable to social engineering and supply chain attacks, such as demonstrated by one nation-state group that bypassed Duo Security's multi-factor authentication by stealing the integration key for a targeted customer, according to an analysis by Volexity.

Forrester stated in a September research report:

"Privileged users, senior executives, and employees in finance and HR are likely targets, so consider implementing more robust security measures such as hardware security tokens for these users first."

Why you need multi-factor now: Nothing's perfect

In the end, every method of authentication can be attacked. Yet companies that understand the threat will be able to develop training and countermeasures to address potential attack vectors. Well-conceived multi-factor authentication infrastructure, combined with trained users, will eliminate most of the threats to businesses that find themselves increasingly reliant on authentication for cloud services and virtual infrastructure.

As we move into 2021, companies and developers should take the extra step and protect every user with two-factor authentication. Privileged users should get true multi-factor authentication along with monitoring to prevent a single bad decision from becoming a business-wide compromise, said Duo Security's Lewis.

"One of the positive things coming out of the pandemic is that organizations are understanding that moving to multi-factor authentication is not that difficult. People working from home now are not those who have traditionally worked from home, so they need to have better security around them."
—Dave Lewis

Keep learning

Read more articles about: SecurityIdentity & Access Management