MFA adoption is catching up but is not quite there

While the adoption of multifactor authentication has picked up in the face of growing identity threats, it isn’t quite where it should be, according to Osterman Research.

The study, which surveyed a number of cybersecurity professionals from over a hundred US-based organizations, had almost all (94.2%) respondents admitting they don’t protect “every employee and every app” with MFA, even as about eight (79%) out of every ten of them said they were compromised in one or more type of identity attacks in the last 12 months.

“We hoped to see organizations moving promptly to more secure MFA methods – in particular, stopping the use of MFA methods that can be phished, e.g., codes by SMS, email, and authenticator apps,” said Michael Sampson, principal analyst at Osterman Research. “There is a movement towards more secure MFA methods, but it is not as quick as is needed by what we see of identity attacks in general and against MFA in particular.”

A score of external and internal factors are making identity security more difficult, including IT complexity, use of AI in attacks, more adversarial focus on credentials, employee risks, and a dearth of required cybersecurity expertise, the study noted.

Identity threats are getting worse

Eighty-six percent of respondents said that cybercriminals are increasingly interested in stealing and abusing compromised credentials. This is noteworthy especially because less than five percent of organizations have full MFA covering all their employees and apps.

Sampson believes the spike has to do with how easy it already is for threat actors to simply steal authorized access by picking up compromised credentials to sensitive accounts. “It has proven easier for cybercriminals to compromise credentials to gain access to data, systems, and processes than to hack into the same data, systems, and processes,” he said. “Credentials compromised through a phishing attack, for example, give valid access to an unauthorized individual.”

Additionally, over four-fifths (83.3%) of the respondents blamed growing IT complexity for failing at effective identity security at their organizations. Almost an equal number (78.6%) believe AI is playing a significant role in strengthening identity adversaries. Significant concerns were also observed over employees’ risks (73%) and the lack of cybersecurity professionals (73%) in facilitating these attacks.

The study also revealed that most organizations (73%) lack the controls to detect and stop an identity attack in real time. Of this cohort of organizations, almost all say they can detect and stop the attack as soon as it has succeeded (46%) or sometime after it has succeeded (27%).

Sampson pointed out that over-reliance on weaker forms of MFAs could be contributing to this.

Why stronger MFA must be enforced?

While other forms of identity security practices, including SSO, ZTA, IAM, PAM, RBAC, and JIT, are available for securing access and identities, MFA is being pushed by experts for its adaptive and multi-layered protection.

A great deal of identity-based attacks can be protected against by using stronger forms of MFA that don’t rely on phishable codes, according to Sampson. “Stop relying on MFA methods that require a user to enter a code – whether by received by SMS, email, or authenticator app,” he said. “Hardware keys based on the FIDO approach are the strongest option we have currently.”

The study found organizations continue to have some degree of reliance on weaker forms of MFA, specifically those that use one-time codes (99.2%). This is despite 90% of organizations identifying six or more reasons as being highly important for using MFA, led by reducing the likelihood of account takeover.

Due to its specific advantages and growing acceptance in the security industry, Multi-Factor Authentication (MFA) is rapidly evolving from an optional security measure to a compliance requirement. Major global IT companies, such as Microsoft, Google, AWS, Apple, and Salesforce, have already made or are in the process of mandating MFA for all users.