The Director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, is traveling across the country as part of the Cybersecurity Awareness Month. She’s been promoting the best practices of cybersecurity, telling everyone the steps they can dp to be safe on the web, and emphasizing the value of using multi-factor authentication on bank accounts, email accounts, social media accounts, and other accounts where sensitive data is used.
With the activation of multi-factor authentication, it’s not enough to have a username and password to access an account. One more factor should be given prior to getting access to the account. This security step is essential because passwords could be guessed or compromised, and there’s an increase of phishing and brute force attacks. Even though MFA is a critical security option that could stop unauthorized access to accounts, many companies still have not adopted MFA. A lot of vendors give consumers the option to use multi-factor authentication instead of making it the standard method. Easterly is convinced that vendors ought to prod consumers to set up multi-factor authentication in their accounts.
Easterly recommends vendors to pay attention to the campaigns of the auto industry back in the 20th century that urged drivers to use seatbelts and employ the same strategies to boost the use of MFA. Vendors ought to likewise integrate MFA into their solutions at the creation phase, instead of MFA making it an after purchase add-on, and make sure that they give their users a comprehensive MFA option. She additionally recommends vendors to release MFA uptake figures, specifically for high-privilege accounts.
Easterly also revealed that one top rated vendor has said that only about 1/4 of its enterprise clients have used multi-factor authentication, and sadly, only 1/3 of system administrators have enabled MFA on their accounts.
Easterly mentioned that any type of multi-factor authentication is much better compared to no multi-factor authentication; nevertheless, not all types of MFA offer a similar level of safety, and some types of MFA aren’t resistant to phishing attacks. Lately phishing campaigns were executed that can avoid traditional types of MFA like push notifications, one-time codes sent to mobile phones, and authenticator applications. Attacks that can bypass classic MFA defenses will likely go up
Thankfully, there are alternate types of MFA that offer much better protection. A group of organizations created the FIDO Alliance to make a phishing-resistant type of MFA.They had baked FIDO standards into the OS’s, browsers, cell phones, and tablets that you currently own. And FIDO is backed by lots of online solutions. Big and small organizations are beginning pilots and even finishing their rollout to all employees.
Easterly states FIDO MFA is the best and the only extensively available authentication that is phishing-resistant. She prompts all CEOs to make sure that their organizations are going to use FIDO authentication with their MFA implementation.