Best Practices for Multi-Factor Authentication (MFA)

Ray Gasnick III
August 3, 2023
13 min read

With bad actors finding new ways to target businesses and their employees, taking steps to secure systems can help reduce the likelihood of a breach or attack at your organization.

Many SMBs may think their organization is too small and not considered a target by cybercriminals. Yet, 43% of breaches occur in companies with 250 employees or less.

One method to protect user accounts and data is multi-factor authentication (MFA), which serves as a safety net if a password is compromised.

However, according to Zippia, only 13% of staff members at SMBs are mandated to use MFA at their organizations. On the other hand, 87% of staff members from larger companies (10,000+ employees) must use MFA for their work accounts.

Keep reading to learn more about MFA, examples of related attacks, and how this simple practice can safeguard important information and prevent cyber incidents.

What is multi-factor authentication?

In order to learn how multi-factor authentication works, it’s helpful to understand authentication at its core.

Authentication verifies the identity of a user, whether entering a PIN at an ATM or confirming a birth date at the doctor’s office. There are three categories of authentication that you may encounter in your daily life:

  • Something you know – items that you memorize or remember, like a password, passphrase, or PIN
  • Something you have – a separate item in your possession, like an RSA token, authenticator app, or Yubikey
  • Something you are – something related to only you as a person, like a fingerprint, retinal scan, or facial recognition

Multi-factor authentication takes this process a step further by necessitating that users verify their identities in multiple ways before they can access an account or system. The strongest forms of MFA combine two different authentication methods, like entering your passphrase and entering a code from an authenticator app.

For instance, if someone were to guess or steal your password, they would need to bypass your chosen MFA method to breach your account. MFA provides an additional, critical layer of protection, making it more difficult for bad actors to access systems.

It’s important to remember that MFA is not an excuse to create bad passwords.

Users should employ MFA in conjunction with strong passwords to create a multi-layered security approach. With this strategy, you can remain confident that the people logging into your business systems are the correct users who should be logging in.

How does MFA protect user accounts?

Already, we’ve discussed how MFA provides additional fortification regarding user account security. But how does this protection manifest itself in a real cyber attack scenario?

Let’s consider a real-world example to understand how MFA provides a supplemental level of security.

Our security team conducted a penetration test engagement to assess an organization’s security measures, demonstrate paths to access, and illustrate how a bad actor could exploit vulnerabilities.

During this test, we were able to identify and confirm a valid user with a weak password within at least one of the organization’s information systems. Once we had that credential, we attempted to log into all systems the user could access.

Yet, because MFA was applied to all systems, we could not progress further into the environment.

This penetration test serves as a true emulation of an actual attack. If a bad actor had guessed the weak password through something like password spraying, they would use it to try to log into other accounts in the same manner that we did.

If MFA had not been present on any one of those systems, the attacker could have gained access; that system would have been considered the point of initial access. From there, the attacker could use that point to gain lateral movement and eventually escalate privileges to the point where they could gain access to other information systems that may include high-value targets.

How do strong passwords relate to MFA?

Our penetration test engagement exemplifies two crucial points: the significance of utilizing strong passwords and the criticality of MFA.

A 2021 study by LastPass noted that over 80% of data breaches are connected to passwords that are poorly constructed, stolen, or reused across different accounts. Consequently, creating strong passwords is a key step you can take to prevent cyber incidents and safeguard your data.

What is a weak password?

Weak passwords are easily guessable and able to be exploited by bad actors. Often, they include dictionary words, like the season, the year, and a special character, like an exclamation point. If created for a business account, they may also include the organization’s name or abbreviation.

It’s important to note that weak passwords can still meet organizational password policies. Though they may match requirements in terms of length and number of special characters, they can still be poorly constructed and easily guessed by attackers.

For instance, “GoogleSummer2023!” is an example of a poorly constructed password. Although the password is 17 characters long and includes capitalization, numbers, and a special character, it is incredibly easy to guess.

Creating an organizational password policy does not guarantee users will have strong passwords.

Education is critical to ensuring your team members construct secure passwords and passphrases. Their credentials should align with your organizational password policy, maintain memorability for the user, and remain difficult for attackers to guess.

We’ll discuss how to create a strong password in more detail later.

How do you implement MFA correctly at an organizational level?

Zippia shares that 62% of SMBs don’t use MFA in their organizations. As a result, one poorly constructed password may be the only item standing between an attacker and your company data.

MFA should be consistently implemented across organizations and applied to any publicly accessible system.

Uniformity is key; MFA shouldn’t be applied to some accounts and not others, or to some users and not others. It only takes one system without MFA for an attacker to gain access.

Like passwords, MFA can be targeted by attackers. However, it still remains important to enable this extra layer of security on your accounts.

Let’s explore these attacks in more detail so you can remain vigilant.

What is an MFA spamming attack?

MFA spamming attacks, or MFA fatigue attacks, are one way that bad actors have bypassed methods of MFA.

They occur when attackers compromise a password and generate MFA prompts over and over again, such as a push notification. The prompts continue to pile up until the frustrated user accepts the request to make them stop.

In 2022, an MFA fatigue attack contributed to the Uber breach. In this situation, a contractor’s credentials were compromised by malware or phishing. The attacker then bought the credentials from the individual who initiated the attack.

Once the attacker accessed the VPN, they obtained additional logins via push notifications. Hoping an employee would grant additional access, they repeatedly sent MFA requests until the frustrated user accepted the prompt.

From there, the hacker continued to infiltrate Uber’s systems, gaining more and more access until they got everything they needed (called gaining the keys to the kingdom).

MFA spamming attacks are one reason why we recommend utilizing a more manual form of MFA. Viewing a code on an authenticator app and typing it into your platform is more secure and reduces the risks associated with push-based MFA.

In addition to user frustration playing a role in MFA fatigue attacks, complacency can be a contributing factor as well. If a user becomes accustomed to completing the motions of MFA-based logins, they may accidentally approve a login that isn’t theirs due to muscle memory.

Complacency could be a reason to avoid implementing MFA where it’s unnecessary at your organization, which we’ll discuss in more detail later. If users employ MFA too often, an anomalous login or suspicious activity may not trigger red flags. As a result, this could allow hackers to gain initial access.


How do password spraying and password stuffing connect to MFA?

Password spraying and password stuffing are two other types of cyber attacks related to authentication.

Password spraying is an attack method used to gain valid credentials for exploitation. With these attacks, the bad actor begins by choosing a target organization and scraping the internet for anyone associated with that company. They may use Facebook, LinkedIn, articles, blog posts, and other sources that cite employee names and related business information.

From there, they compile a list of these names and create a list of common words typically found in passwords, like seasons, months, and years.

Additionally, they add concepts and phrases relevant to the target organization, like the company name or abbreviations.

Next, they iterate through these lists using different combinations of words and character substitutions. Hackers will continue to test these combinations until they find valid credentials.

If MFA is enabled, password spraying may not necessarily grant initial access. However, attackers can use the stolen credentials to access other accounts, like through password stuffing.

Password stuffing attacks occur when bad actors take valid credentials, find another system, and try to log in with those credentials.

Consider this example. Let’s say a user has an Office 365 account and a Dropbox account (not using Microsoft single sign-on) and uses the same passwords in both of those systems to make it easier to remember.

If an attacker sprays against Office 365 and finds valid credentials, but cannot access the system because of MFA, they can then take those credentials and attempt to log into Dropbox. If Dropbox doesn’t have MFA enabled, the attacker can gain access to the system.

To prevent attacks like this, ensure all systems have MFA enabled consistently across all public-facing organizational systems. In this scenario, the attacker didn’t perform a password spray on the Dropbox account, but was still able to log in because of the poor password used and guessed for the Office 365 account.

How can you take a balanced approach when it comes to MFA?

In general, any MFA is better than no MFA at all.

However, users have become frustrated by methods of MFA because of the disruption to their daily workflows. According to SANS, 38% of respondents believe that MFA is frustrating. Another study by Beyond Identity revealed that MFA can affect online purchases, causing almost half of respondents to leave their online purchases behind and impeding their ability to submit payments.

How can you mitigate user frustrations while ensuring security?

We recommend understanding what you’re defending against and selecting reasonable methods and execution.

For instance, if you work in an office and apply an MFA prompt every single time someone needs to unlock their computer, it may not be a sensible approach. In this scenario, an employee would need to enter their MFA code each time they stepped away for a few minutes.

In this case, implementing MFA every single time isn’t defending against the most critical threats. Instead, it’s simply checking off a box and making daily work more frustrating for the user because of the low timeout.

On the other hand, if the user was working in hostile territory—any location that isn’t the office or their usual workplace—it might make sense to enable an MFA prompt every time they tried to log in to their computer. This level of protection is more reasonable given the circumstances because it would be more difficult for unauthorized users to access their information.

Proper MFA implementation means balancing the threats you’re defending against with the required level of MFA. By taking a balanced approach, you can reduce users’ frustrations while still maintaining high levels of security.

MFA Best Practices

Building user awareness of MFA methods and potential attack scenarios that exploit MFA is crucial to keep your team informed.

Here are some steps you can take to strengthen MFA practices at your business.

MFA best practices

Always create strong passwords

Educate your team about proper password construction to keep everyone aligned; password-guessing attacks are very common.

Good password construction will avoid common dictionary words (even those with complexity) and favor length. The ideal password is a passphrase with minimal added character family complexity. You can even turn your passphrase into a passparagraph.

Standard English language sentences that begin with a capital letter, utilize spaces and punctuation, and are meaningful enough to remember comprise some of the strongest passwords that can be created.

Strong passwords should be used together with MFA to ensure user accounts have the most comprehensive levels of protection.

Apply MFA consistently across your organization

As we demonstrated in the penetration test example, one system without MFA is enough to cause a breach.

Ensure you consistently use MFA across every publicly accessible system at your organization to lower the risk of attackers gaining access.

Create a balanced approach with your MFA strategy

To reduce complacency in your organization, achieve a balance between the threats you’re defending against and the level of required MFA.

Understand when and where MFA needs to be enabled.

Encourage your team to stay alert

Some cyber attacks that manipulate MFA occur because users aren’t paying attention or have become complacent.

Help your team stay alert and on guard. If they receive an MFA prompt they didn’t ask for, they should trigger their incident response process and have their IT and Security teams take proper response actions.

Maintaining Your MFA Strategy

As threats evolve, make sure you revisit and update your MFA strategy accordingly.

Push-based MFA was considered a secure form of MFA, but MFA fatigue attacks like the Uber breach have shown that they may not be as effective as we think.

Ensure MFA is enabled across your business and that your users stay vigilant and take action on suspicious activity.

Meet Ray Gasnick III

Ray has been part of Miles IT for 20+ years, holding roles from IT Consultant to his current position as the Director of Compliance and Risk Management. He works with internal security teams and clients to develop, implement, document, & strengthen control activities to meet regulatory/B2B imposed necessities. Ray also develops many of Miles IT’s security & compliance services.

Discover and Do More With Business Technology!

Get monthly business technology tips directly to your inbox.

Related Posts

Let's Build Something Great Together

Contact Us