The UK’s cyber watchdog says that companies need to be more mindful with how they handle their multi-factor authentication.
The National Cyber Security Centre (NCSC) said companies can no longer rely on MFA as a blanket solution to their network security woes. The problem, say experts, is that in many cases attackers are now able to intercept MFA keys much in the same way they did passwords.
“Attackers have realized that many of the same social engineering techniques that tricked us into handing over passwords can also be updated to overcome some methods of MFA,” the NCSC said.
“We have seen the success of attacks against MFA-protected accounts increasing over the past couple of years.”
As such, the NCSC said companies need to change the way they view MFA systems as a barrier against threat actors. Rather than just use MFA as a set-and-forget security measure, administrators should look at what level of authentication and protocol are most practical for their organization.
If MFA options are being disregarded or dismissed as a hassle, users are far more likely to ignore the warning signs of scams or social engineering attacks by threat actors.
In short, MFA is only useful for securing networks if end users know how to properly authenticate and are able to use multi-factor for its intended purpose: a one-time code to verify that the person on the other end is who they say they are and needs legitimate access to the network.
As such, the NCSC says that it is updating its guidelines for enterprises to not only reflect the need for MFA, but to emphasize its proper use and the importance of selecting the right MFA solution for each company’s needs and requirements.
“The new guidance explains the benefits that come with strong authentication, while also minimising the friction that some users associate with MFA. Part of this involves only prompting for authentication or MFA when it makes a difference,” the NCSC explained.
“Most organizations will have people in different roles, different ways of working, all using different types of devices. So we include options to help things work better for everyone.”
While the NCSC may only operate in the UK, the guidance should be applicable to companies around the world. With phishing and ransomware attacks on the rise, identity management has become more critical than ever and ensuring that security protocols are being properly implemented should be a priority for all administrators.
