While adoption of multifactor authentication has increased in the face of growing identity threats, it’s not where it should be, according to Osterman Research.
The study, which surveyed dozens of cyber security professionals from more than 100 US-based organizations, found that almost all (94.2%) respondents agreed that they do not protect “all employees and all applications” with MFA, even eight (79%). ) in ten of them said they were vulnerable to one or more types of identity attacks in the past 12 months.
“We were hoping to see organizations move quickly to more secure MFA methods – specifically, stopping the use of MFA methods that can be spoofed, eg, SMS codes, email, and authentication apps,” said Michael Sampson, principal analyst at Osterman Research. . . “There is movement toward more secure methods of MFA, but it’s not as fast as what we’re seeing with identity attacks in general and against MFA in particular.”
A score of external and internal factors make identity security more difficult, including IT complexity, the use of AI in attacks, an increasingly conflicting focus on data, personnel vulnerability, and a lack of necessary cybersecurity expertise, the study noted.
Identity threats are getting worse
86 percent of respondents said that cybercriminals are increasingly interested in stealing and misusing vulnerable information. This is particularly noteworthy because less than five percent of organizations have a full MFA covering all of their employees and applications.
Sampson believes the spike has to do with how easy it is for threat actors to steal authorized access by picking up vulnerable information from sensitive accounts. “It has proven easier for hackers to compromise credentials to gain access to data, systems, and processes than to hack the same data, systems, and processes,” he said. “Information compromised through a phishing attack, for example, provides legitimate access to an unauthorized person.”
Additionally, more than four-fifths (83.3%) of respondents blamed increasing IT complexity for failing to secure effective ownership in their organizations. Almost an equal number (78.6%) believe that AI plays an important role in strengthening the enemies of identity. Major concerns were also noted about the vulnerability of employees (73%) and the lack of cyber security experts (73%) in carrying out these attacks.
The survey also revealed that most organizations (73%) do not have controls in place to detect and stop identity attacks in real time. Of this group of organizations, almost all say they can detect and stop an attack as soon as it succeeds (46%) or at some point after it succeeds (27%).
Sampson pointed out that over-reliance on weak forms of MFAs could contribute to this.
Why should dynamic MFA be used?
While other types of proprietary security mechanisms, including SSO, ZTA, IAM, PAM, RBAC, and JIT, are available to determine access and identity, MFA is pushed by experts for its flexible and multi-layered protection.
Many identity-based attacks can be protected by using strong forms of MFA that don’t rely on phishable codes, according to Sampson. “Stop relying on MFA methods that require the user to enter a code — whether it’s received via SMS, email, or an authentication app,” he said. “Hardware keys based on the FIDO method are the most powerful method we currently have.”
The study found that organizations continue to have some degree of reliance on weak forms of MFA, particularly those that use one-time codes (99.2%). This is despite the fact that 90% of organizations identify six or more reasons as the most important for using MFA, led by reducing the likelihood of account takeovers.
Due to its specific benefits and growing acceptance in the security industry, Multi-Factor Authentication (MFA) is rapidly changing from an optional security measure to a compliance requirement. Major global IT companies, such as Microsoft, Google, AWS, Apple, and Salesforce, have already implemented or are in the process of mandating MFA for all users.
Source link