• United States



In an Increasingly Dangerous Cyberspace, MFA Is Not Optional

Oct 18, 20224 mins
Data and Information Security

In today’s cybersecurity environment, relying on username and password authentication doesn’t provide meaningful protection when attackers can buy stolen credentials and simply log into networks rather than hacking their way in. That’s where multifactor authentication (MFA) comes in.

istock 1404141914
Credit: iStock

Many of the most prominent cybersecurity incidents have resulted from attackers using stolen credentials (username and password) to gain access to networks. In an all-too-familiar pattern, last year’s Colonial Pipeline ransomware attack, which crippled the delivery of fuel supplies to the Southeastern U.S. for days, began with attackers using a stolen password to gain access to a legacy VPN system.

Clearly, organizations need to change the way they think about credentials used for access to data and network assets. That was underscored by a recent joint alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the cybersecurity watchdogs of several other countries, which pointed to the role that weak security controls play in breaches and the need to harden credentials (among other recommendations).

In today’s cybersecurity environment, relying on username and password authentication doesn’t provide meaningful protection when attackers can buy stolen credentials and simply log into networks rather than hacking their way in. According to the latest Verizon DBIR, more than 40% of breaches involve the use of stolen credentials. And by one estimate, from 2020–2022, the number of stolen and breached passwords available on the dark web jumped from 15 billion to 24 billion.

Password databases are a prime target for theft and readily available online, making now the time to reconsider what good password hygiene looks like. For instance, some common “best practices” for passwords, like changing them frequently, could encourage bad user behavior. Users often reuse passwords but change a single digit, making them easy to crack if an attacker has access to older passwords.

Today, good password hygiene starts by providing users with password managers to create and use unique and complex passwords for every account. But even that may not be enough. Once an attacker gains access to a password — either through the dark web or via social engineering (such as phishing) — it’s game over without additional verification.

That’s where multifactor authentication (MFA) comes in. It can stop many attackers in their tracks even if they gain access to a credential. With MFA, users are still required to provide a password along with additional verification of their identity — by responding to a message on an approved mobile device with a hardware key or with a biometric, like a fingerprint — before they are granted access to networks or resources. This added step significantly increases the degree of difficulty for attackers and greatly reduces the likelihood that a compromised credential alone will enable an attack.

So, what’s holding companies back from adopting MFA (and why should they get over it)? There are a few reasons:

  • Perceived friction for users: Organizations worry that users will find MFA too difficult to use or that it will negatively impact productivity. The reality is that there are a number of ways to implement MFA. Most require just seconds to authenticate and, when coupled with single sign on (SSO) services, don’t require users to authenticate often. Hardware tokens can add some degree of friction, but there are alternatives that provide the same level of protection.
  • Perceived cost: Most software-based MFA solutions cost a few dollars per user per month, which can add up across a larger user base. However, these costs pale in comparison to the financial consequences of a major cybersecurity incident. Ransoms can run into the millions of dollars for larger organizations and even smaller ransoms can cause irreparable harm to small- to medium-sized businesses(SMBs). Companies also risk substantial fines and penalties if they are found to have poor cybersecurity practices. There is also the real cost that comes from disrupted business operations, whether an immediate hit on profitability or the reputational damage and loss of potential business.
  • Perceived complexity: Some organizations think implementing MFA is too complex. Again, there is more than one way to implement MFA, and some are easier than others. But security organizations, including CISA and the Federal Trade Commission, now consider MFA to be a basic security measurefor SMBs.

It’s increasingly clear that MFA isn’t optional. Verizon’s DBIR recommends MFA as the first step SMBs should take to protect themselves against cyberattacks. CISA, in its recent alert, suggests the same for all organizations. Many insurance carriers now require companies to implement MFA in order to get cyber insurance. And even as passwordless solutions start to gain traction, passwords aren’t going anywhere anytime soon. If your vendors or service providers don’t offer MFA, lobby them to start now. MFA provides the added protection that could stand between your organization and a crippling breach.

If you’d like more information about how MFA can help keep your business secure, visit.