Much is said about cybersecurity in 2023. Even with the increase in uptake of technologies like Multi-Factor Authentication, we’ve continued to see a number of cyberattacks targeting SMS-based and notification-based authentication codes to gain access to private systems and wreak havoc on organizations of all sizes. So what’s the state of the art of authentication in 2023, and how can companies protect themselves from MFA attacks?
The shortcomings of MFA
Multi-Factor Authentication, or MFA, is a well known and widely used security mechanism that is typically deployed as a secondary verification after a correct username and password have been entered. They typically take the form of a numeric code, sent either via SMS message or via push notifications. These are a very effective way to improve your security posture, but are far from the end-all-be-all solution to all your cybersecurity needs. Recently, both SMS-based and notification-based MFA systems have seen an increase in cyberattacks, which indicates that simply relying on additional verification codes after a username and password are entered is no longer enough to protect organizations from motivated and knowledgeable malicious actors. If you’re curious about the details, here’s how attackers have compromised SMS-based MFA and notification-based MFA.
Passwords are still your weakest link
One element of note across many of the cyberattacks involving MFA is that they typically also require compromising a password and some degree of social engineering. On the social engineering side, it’s a good idea to ensure your staff is adequately trained on security best practices and response procedures when they see something suspicious. When it comes to passwords, using a password manager can help, but the many inherent design flaws with password-based authentication still present risks. Aggravating factors to these risks include sharing passwords across multiple services, writing down passwords (digitally or physically), weak passwords that are easy to break, and the fact that a password compromise is hard to detect before malicious action is observed. If you’re still using passwords and would like to secure them, here are some best practices to consider.
Doing authentication right
So if passwords are weak, and MFA is being compromised more and more each day, how should organizations tackle the authentication problem? Well, based on what we’ve seen, the industry seems to be shifting towards zero trust and passwordless environments. These overarching concepts are expected to take some time to trickle down into viable products for the small and medium sized business community. But here at Vivacity we believe in paving the way for equitable access to technology, which is why we’re working on a solution that can help your organization take its first steps in this direction today.
As a glimpse into what we’re doing, the Vivacity team is pulling a few tricks from our wireless network security playbook. In collaboration with several partners we are piloting the use of digital certificates as a factor of authentication for a few key IT environments. Under the hood, this technology uses strong keys and asymmetric cryptography to allow authentication without exchanging any secret information over the network. Among other benefits, this makes it harder to intercept credentials or secrets by listening to network traffic, and has the added convenience of selecting a certificate instead of entering a password when logging in.
Start your zero trust journey with us today
If you’d like to mitigate password protection risks on your Microsoft 365 tools (Office, Teams, SharePoint, OneDrive, etc) and corporate network, we think we can help - please get in touch with us here! We’d love to learn more about your business and understand how we can support you in withstanding the evolving cyberthreat landscape of today.