Enterprise, IT management, Networking

Could MFA/SSO Increase Your Security Risk?

Jesse Miller, CISO, Stratosphere Networks
Jesse Miller, CISO, Stratosphere Networks

If you’re a hacker trying to break into someone’s account, the most obvious method involves guessing or stealing the password. That’s why stringent security requirements for passwords are so important and why cybercriminals focus so heavily on phishing campaigns meant to trick people into disclosing their login info. More than 80 percent of data breaches caused by hacking involve brute force or the use of stolen or lost credentials, according to Verizon’s 2020 Data Breach Investigations Report.

Password security has become more imperative than ever because of the pandemic-driven prevalence of work-from-home arrangements, as CISOs must secure remote access accounts. In addition to ensuring employees know best practices for setting strong passwords and leveraging spoof phishing software to train staff members to spot malicious messages, many businesses leverage multi-factor authentication (MFA) and single sign-on (SSO) solutions to avoid data breaches. However, these measures often aren’t as effective as they could be due to a lack of enforcement and auditing.

Putting MFA and SSO Into Practice: The Trouble With Inconsistent Implementation

MFA and SSO both help companies lower their odds of experiencing a data breach when utilized properly. MFA – which is also called two-factor authentication in some instances – adds an extra layer of protection by requiring at least one additional piece of information for verification in addition to your username and password. It can stop hackers wielding stolen credentials in their tracks: In 2019, Google released research showing that on-device prompts sent out to verify sign-in attempts stopped 100 percent of automated bots, 90 percent of targeted attacks, and 99 percent of bulk phishing attempts.

Meanwhile, SSO allows end users to access multiple accounts and apps with one set of credentials. Just about half (51 percent) of U.S. IT professionals and IT security practitioners report that they have difficulty managing their passwords, according to the 2019 State of Password Authentication Security Behaviors Report from the Ponemon Institute and Yubico. SSO addresses that issue while also lowering the odds that end users will get hacked because it decreases the number of credentials they use, as Citrix explains. However, simply stating requirements for MFA and SSO usage throughout your organization won’t necessarily be enough to decrease your data breach risk level. Companies that don’t take steps to make sure their team members actually put these solutions into practice can end up dealing with an inconsistent mess, with some end users enabling MFA and SSO for some apps and others remaining at risk. As a result, it’s vital to invest in auditing and enforcing the utilization of these security measures.

Auditing and Enforcing MFA and SSO Usage Across Your Organization

If you’d like to improve your organization’s governance of SSO and MFA usage, you’ll need a clear understanding of your current situation. Create a comparison matrix that includes all your line-of-business apps. Then list these options for the apps’ status:

  • No MFA available
  • MFA available but not enforced
  • MFA available and enforced, but no SSO
  • MFA available and enforced, using SSO

Check the appropriate box for each app. From there, you can prioritize the list according to the most critical and sensitive data systems and get to work.

Author Jesse Miller is chief information security officer at Stratosphere Networks. Read more from Stratosphere Networks here.