Sage Advice - Cybersecurity Blog

Is Multi-factor Authentication Enough?

What is Multi-Factor Authentication?

MFAOne of the most common risks when remotely accessing a network or cloud services are user account breaches. When remote access logins only require a username and password, the traditional method of preventing account compromises is to add multi-factor authentication (MFA). MFA requires:

  • Something you know, like a password
  • Something you have, like a token number, smartphone device for one-time passwords, or authentication apps

There are many forms of multi-factor authentication and some are more secure than others depending on the account. For example, one-time SMS or email passwords can be captured more easily than authentication apps such as Google Authenticator or Okta. As MFA is adopted by more organizations, attackers are targeting these multi-factor authentication methods. This is resulting in more user account breaches where attackers are successfully capturing the MFA SMS messages or emails.

How can you defend against MFA attacks?

To mitigate against account and MFA breaches, you should consider adding additional requirements that validate a connection request is from a legitimate user and device. Some validation requirements to implement can include:

  • Validating the location of the connection request. Where is the connection request coming from?
  • Validating the type of device that the connection request is coming from. What type of device is the connection request coming from?
  • Validating the normal time frame that a connection request should be made (i.e., business hours, weekends, or evenings). What is the time frame of requests? (During business hours, weekends?)
  • Validating only certain types of devices (organization-owned or personal).
  • Validating the device only if it’s in good health.

If an attacker can obtain valid user credentials and a compromised multi-factor token to log into a network, a combination of these additional requirements must also be satisfied before the attacker can gain entry. In many cases, overcoming these additional requirements can be so cumbersome that an attacker will simply move to an easier target.

What is conditional access and why should you use it in addition to MFA?

Additional measures to ensure that any user logging into a remote access solution is doing so from a known network or approved device is called conditional access. Many existing cloud applications and remote access solutions already have conditional access capabilities including:

  • Microsoft 365 applications and login portals
  • Remote Access Client VPN
  • Remote Access Citrix or VMware VDI Portals
  • Infrastructure as a Service (IaaS) login portals
  • Desktop as a Service (DaaS) login portals
  • Many other Cloud Applications (SaaS)

Conditional access requirements are set by the cloud application or remote access administrators. They are made up of a set of technical rules that a device is checked against, which must be satisfied before a connection is allowed. Some examples of conditional access rules require devices to:

  • Connect only from the IP address range of an organization’s network
  • Connect only from a user’s home ISP address range
  • Connect from a vendor’s external IP address range
  • Connect only from known Geo-IP regions (such as US only or US & Canada)
  • To only allow connections from certain types of devices (Windows 10, iOS, Android)
  • Only from devices with a valid on-premises Active Directory domain computer account
  • Only from devices with an organization-installed certificate added
  • Only within a specific timeframe (during business hours 8 AM to 6 PM, Mon–Fri)
  • Only from devices that have their Operating System and applications patched up to date
  • Only from devices with anti-virus enabled, and virus definitions are up to date
  • Only from device with their firewall enabled
  • Only from devices with an organization added file or hash added

Ideally, more than one rule should be used to ensure that devices connecting are known devices, in good health, connecting from a known network, and can be identified via additional methods such as:

  • Only from the IP address range of an organization’s network.
  • Only from devices that have their Operating System patched up to date.
  • Only from devices with a valid on-premises Active Directory domain computer account.

OR

  • Only from known Geo-IP regions (such as US only or US & Canada).
  • Only from certain types of devices (Windows 10, iOS, Android).
  • Only from devices with anti-virus software enabled and current virus definitions.
  • Only from devices with an organization-installed certificate.

It’s important to utilize only a few rules and to avoid implementing rules that cannot be met. For example, if a remote access solution is used to allow vendor access into a network, then implementing a rule such as “Requiring a valid on-premises Active Directory domain computer account” would not permit a vendor to connect. In this case, it would be preferable to require a combination of different rules to support vendor connections that are often not on-premises. These rules can include access:

  • Only from a vendor’s external IP address range.
  • Only from certain types of devices (Windows 10, iOS, Android).
  • Only from devices that have their Operating System patched up to date.
  • Only from devices with anti-virus software enabled, and virus definitions are up to date.

Adding conditional access requirements can greatly enhance the authentication process of both cloud applications and remote access methods. Requiring both user and device authentication is an effective method of mitigating user account breaches. Sophisticated password attacks use many automated and scripted methods from unknown networks and devices, often launched from diverse global locations. Adding conditional access requirements can greatly enhance the authentication process of both cloud applications and remote access methods.

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More