How Choosing Authentication Is a Business-Critical Decision

MFA may go a long way in improving password security, but it's not foolproof.

Kevin Reed, CISO, Acronis

September 20, 2023

4 Min Read
Thumbprints on a digital background
Source: Skorzewiak via Alamy Stock Photo

The COVID-19 pandemic prompted organizations to operate remotely, and many of them do not intend to return to the office. While remote work has its benefits, it also yields increased risk and an expanded attack surface. Ubiquitous remote access technologies and cloud usage growth are the top contributors to the elevated risk of credential theft.

Malicious actors steal usernames and passwords through credential theft.

Once cybercriminals get their hands on a business's corporate credentials, they can wreak havoc on clients' networks and steal mission-critical and sensitive data — including customer information. With threat actors appearing to be legitimate users, these security breaches may go completely undetected. Managed service providers (MSPs) face similar threats that can easily be neglected when onboarding employees with little experience in safeguarding login credentials. Whether stolen via social engineering, hacking, credential stuffing, or brute force attack, MSPs must prioritize these risks and provide end-users with the proper tools to minimize threats.

Lock Down Access

According to the Cybersecurity Infrastructure and Security Agency, multifactor authentication (MFA) is a layered approach to securing data and applications. Authentication systems require users to present a combination of two or more different credentials, called authentication factors, to verify their identity for login, making it harder to access without authorization. Even if one of these authentication factors is compromised, the offender can't access the targeted device, network, or database.

Security professionals commonly distinguish three authentication factors: knowledge, possession, and inherent. Knowledge factors are secrets — like passwords — known to users. Possession factors are often implemented as hardware keys and security tokens, but also could be smart cards or wireless tokens. Inherent factors are those associated with users' physical features, like fingerprints, or face and voice recognition. MSPs must decide what strategy is best for their clients.

Many experts believe MFA is the one true method for locking down IT systems from cybercriminals. An MSP's reputation as a cybersecurity professional is one of the most critical assets. No matter the size of your business, protecting IT systems is the top priority. Ensuring your company has a strong reputation in safeguarding assets helps attract new customers, grow sales with existing clients, and establish a bond and trust that enhances your brand.

Time-based one-time passwords (TOTP) as a second factor in addition to passwords is the most popular solution to lock down access for staff and customers. Interoperability enables MSPs to easily support customers with a single technological solution, improving credential security for organizations.

A Better Choice?

Despite being the widest in market penetration and least expensive to start with, TOTP has its disadvantages.

First, TOTPs are not fully secure against phishing. Traditionally, phishing sites collected usernames and passwords. Even if attackers try to obtain the TOTP codes, such codes are only valid for a short period of time to protect users. More recently, these attacks have become interactive, with victims being automatically relayed to a legitimate site in real-time when they enter their credentials to a phishing site. The proliferation of ready-made tools, like Evilginx, makes these attacks available to low-skilled script hackers.

A better solution is FIDO2 authentication. FIDO2 consists of two components: WebAuthn, a Web API standard by W3C, and Client to Authenticator Protocol (CTAP). Also, FIDO2 allows for multiple user flows and can be implemented as a second factor in addition to a password or as a single factor with username discovery with or without PIN protection.

FIDO2 is widely supported by popular browsers and operating systems, providing ultimate protection against phishing, and offering varying security levels depending on customers' and MSPs' needs.

Choosing the Right Solution

Cyberattacks create a domino effect on MSPs' businesses. The damage can be far and wide, from loss of reputation to putting yourself or your clients out of business. Cybersecurity recovery costs range between $15,000 to $25,000, not including restoration and legal expenses, along with declined trust from customers and prospects.

Multifactor authentication is inexpensive, secure, and easy to use. For customers wanting a quick start with wide adoption among the existing applications, TOTP is the best option. However, for customers looking to invest more time in testing and receive ultimate protection from phishing, passwordless FIDO2 version and passkeys are the better option. Furthermore, for customers requiring two-factor authentication (2FA), and who can afford hardware costs, having FIDO2 hardware keys as the second factor is the ideal solution.

While MFA goes a long way in improving password security, it's not foolproof. With 34% of employees admitting to sharing passwords with their co-workers, it's important to promote strong cyber hygiene and offer training to educate clients and employees on the potential dangers lurking behind the screen.

About the Author(s)

Kevin Reed

CISO, Acronis

In his 20+ years in cybersecurity, Kevin Reed has been protecting various organizations from cyber threats. Some of his experiences include implementing cryptographic protection for the third largest bank in Europe, building from the scratch security organization for a Nasdaq-traded search engine company, leading technology operations and running IT infrastructure for one of the largest e-commerce sites in Southeast Asia. Now CISO of Acronis, Kevin is in charge of defining company security strategy, developing cutting-edge security solutions and leads the company's Cyber Protection Operation Centres (CPOCs) worldwide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights