Why multi-factor authentication is worthwhile

Multi-factor, or two-factor, authentication (MFA, 2FA) has seen increasing adoption and public awareness. What is it? What benefits does it provide? Is it really worth all that hassle? And how can I justify the time spent implementing and maintaining a MFA solution?

In our context, authentication is about confirming a person's identity. This can be done by checking

1. something they know (e.g. a secret)
2. something they have (e.g. ID card)
3. something they are (e.g. fingerprint)

2FA is simply checking 2 of these "authentication factors", and MFA is a more general term where about checking 2 or more factors. The most common MFA system involves account login with a password and a code from a smartphone app.

Business email compromise is one of the most common and potentially damaging incidents we currently encounter. The majority of businesses use some form of online webmail - commonly Office 365. Most webmail posesses a dangerous trifecta making it particularly attractive to attackers:

1. easily accessible over the internet,
2. little technical skill required, and
3. potentially very lucrative.

Password security education is valuable, but it's very difficult (impossible?) to ensure that employees use strong passwords without reusing them, and keep them secret. "June2018" passes all Office365 password complexity requirements, and is very likely to be compromised by an attacker's automated script. Mike, the CFO, is savvy about password security and uses "dodgeMang83rove*viper". This is a very strong password, but it only takes one mistake for the account to be compromised:

• Mike logs into a friends computer that has been infected with malware;
• He used the same password for his personal Yahoo email, which was compromised and the password database cracked;
• He opened a legitimate-looking email from a colleague, and logged into a page that looked exactly the same as the Office365 portal.

Once Mike's account was compromised, a single email was intercepted and account details on the attached invoice modified, resulting in a large client payment directed to the attacker's account. Even with the most stringent password safety (difficult to enforce), it only took one mistake on the part of the employee.

MFA transforms business email from a potential "low hanging fruit" to a target requiring a persistent, talented, and targeted attacker. It is no longer sufficient for an attacker to know a password so phishing, brute-force and password reuse attacks must become part of a more sophisticated, concentrated attack rather than something that can be entirely automated. This single implementation makes a profound improvement to the average company's threat profile - arguably greater than any other single hardening configuration.

A basic MFA implementation currently requires little resource investment. Many platforms offer some form MFA "out of the box", and the ubiquitous smartphone is a viable "something they have" factor. Some effort is important during initial deployment of a MFA solution to educate users why this workflow change is important, and some pushback can be expected. However, research indicates^# that users quickly acclimatise, with the additional step becoming norm.

^#https://www.rand.org/pubs/technical_reports/TR937.html