For several years, we have strongly advocated for the use of multi-factor authentication (MFA). MFA, also recognized as 2-step verification (2SV) or two-factor authentication (2FA), serves as a protective measure against various common threats aimed at user accounts. This is the reason our 2018 guidance delivered a straightforward message: organizations must begin implementing 2FA for internet-accessible parts of their corporate IT systems.
At that time, numerous organizations were transitioning their corporate digital services to the cloud. This migration unfortunately increased their exposure to internet-based attacks. Therefore, the NCSC urged that organizations enhance their authentication methods by incorporating MFA.
Looking at the Current Landscape
MFA continues to provide substantial security benefits compared to relying solely on passwords for authentication. Recent high-profile breaches involving corporate data highlight that stronger measures, such as mandatory MFA, could have prevented incidents affecting entities like Ticketmaster and Santander.
Nevertheless, attackers have adapted, employing social engineering techniques that successfully compromise some forms of MFA. Over the past few years, there has been a notable rise in attacks targeting MFA-protected accounts, a situation reflected in Mandiant’s recent M-Trends 2024 Special Report.
We stress that solely authenticating users to cloud-based corporate services with a password is inadequate for safeguarding sensitive data. Consequently, we have published a revised version of our MFA guidance, outlining the various strengths and weaknesses associated with different MFA implementations. This is aimed at aiding you in selecting the most robust type of MFA practical for your organization.
This new guidance illustrates the advantages of strong authentication while also addressing the user friction that some associate with MFA. A significant part of this involves prompting for authentication or MFA only when necessary. Given the differing roles and working methods within organizations, we suggest options that can enhance user experience for all individuals.
For instance, the NCSC mandates the use of phishing-resistant MFA when I authenticate with our corporate single sign-on service. However, it’s a rare occurrence for me to be prompted for it since my managed devices act as strong phishing-resistant factors. As a result, authentication prompts are limited to new devices or if the system detects unusual activities related to my account or devices. This approach allows the NCSC to leverage MFA benefits without overwhelming users with excessive prompts that can lead to security fatigue.
While offering more options is beneficial, it does carry the risk of organizations inadvertently adopting weaker security measures. Hence, we have shared MFA anti-patterns we’ve encountered in recent years. By identifying these issues, we aim to help you avoid similar pitfalls. Additionally, we’ve included guidance specifically for organizations needing to safeguard access to sensitive data and recommended MFA types for protecting administrative privileges.
Simplifying Security Management
We anticipate that authentication will remain a primary focus for attackers in the foreseeable future. Security professionals face the challenge of balancing a system that permits legitimate users while preventing unauthorized access. Modern solutions like zero trust architectures can bolster security by allowing for more sophisticated authorization decisions based on a variety of signals. The move toward single sign-on and stronger authentication methods, including some password-less options, will also contribute to enhancing security.
Despite the benefits of modernization, complexity can increase, requiring ongoing adjustments as adversaries evolve. In this context, it is essential to leverage the advantages of cloud solutions by relying on providers to maintain rigorous standards.
In the immediate future, prioritize finding services that – by default – implement phishing-resistant MFA.
The online services facilitating easy adoption of phishing-resistant MFA are likely the same ones that will streamline transitions to even more robust authentication and authorization mechanisms down the line.
Andrew A
Cloud Security Research Lead
Article has been taken from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/not-all-types-mfa-created-equal
