Even though companies worldwide are struggling to protect systems and data from incessant waves of cyberattacks—there seems to be no end in sight. With the release of the FBI’s Internet Crime Report 2020, it is apparent that cybercriminals took advantage of the impact of the pandemic while many of us were distracted with trying to figure out our “new normal” and the technology we require to support it. The FBI reported over 790,000 complaints and reported losses exceeding $4.1 billion – a 69% increase since 2019.
The most common attacks were those leveraging email communications such as Business Email Compromise (BEC) and phishing attacks. Cybercriminals took advantage of citizens as we looked to our inboxes for unemployment information, stimulus payments, and other transactions requiring Personally Identifiable Information (PII). In conjunction, cybercriminals leveraged phishing schemes as well as other methods to execute ransomware attacks, which have also been on the rise.
While many security measures are being put in place, multi-factor authentication or MFA solutions have been and continue to be a cybersecurity best practice when it comes to securing access, whether it’s remote or on-premises, and reducing, even preventing cyberattacks.
Over the years multi-factor authentication (MFA) solutions also evolved as cybercriminals have continued to become more sophisticated in their approaches. We’ve moved from basic challenge questions and answers alongside a password (although that’s not “true MFA”) to now using multiple authentication methods, both with a password or as a passwordless approach.
Some of the most common authentication methods that are used today to achieve MFA include hardware tokens, and one-time passwords (OTPs) sent via email and/or text messages to a mobile phone. Users are typically given a choice of a single method to leverage when logging in based on their security policy and the applications and data they are looking to access.
However, what happens when our traditional MFA methods start to fail us?
In a recent article, on vice.com, a hacker was able to leverage a business text messaging service and for a mere $16 take over the victim’s phone number and intercept all of their SMS messages. These messages included those with OTPs for gaining access to secure accounts. With little effort, the hacker was able to access the victim’s Bumble, Postmates, and WhatsApp accounts, among others. There was no indication to the victim that the phone had been hacked.
On the other side, both employees and customers can become sources of cyber risk to an organization, as they resist, avoid, and refuse to adopt MFA methods. Circumventing authentication and using poor security practices can be a top threat to an organization. For example, according to Gartner, Inc. in their 2020 Authentication Market Guide, one of the most common authentication approaches, leveraging the user’s mobile phone, is actually impractical for up to 15% of employees and 50% of customers. In other words, it is not a feasible option. This is due to their work environment, lack of cell phone reception, or even an adverse reaction to using a personal device for business purposes.
So, it’s time to evolve your MFA approach and make sure it is capable of adapting to the future state of cyberattacks and the needs of your employees and customers.
Here are three recommendations for making sure your MFA strategy is ready for the future:
With the increase in cyberattacks and the evolution of how advanced cybercriminals’ tactics have become, your multi-factor authentication strategy needs to adapt. The authentication methods, such as hardware tokens and phone-based OTPs, are starting to fail us. They are being attacked by cybercriminals and/or are unusable and disliked by employees and customers. A modern MFA strategy needs to be considered that includes advanced authentication approaches, flexible options to give the user a sense of control, and the most secure and convenient authentication method – biometrics.
With your free trial you will be able to test out: