What We Learned About MFA at Our Latest Cybersecurity Event

Hey there, cyber warriors!

At our latest cybersecurity event, Infosecurity Europe 2024, we decided to dig into the nitty-gritty of Multi-Factor Authentication (MFA). We wanted to know how folks are using it, what technologies they are using, and what headaches they are facing. We have got some cool insights to share with you, so let us dive right in!

MFA is Everywhere!

First off, a resounding 88% of organizations are using MFA (whether it be for a few or all users). However, after talking to respondents, it became clear that current MFA deployments often follow industry norms rather than a deep conviction in their preventive abilities.

This aligns with our 2023 market research, which revealed that 95% of UK businesses had adopted MFA, yet only 40% did so because it was deemed the most secure solution. Most were not confident in MFA’s capacity to stop account takeover (ATO) incidents. This discrepancy indicates that compliance is often prioritized over robust security. Furthermore, 56% of the respondents reported that they had experienced a breach despite wide adoption.

We believe the issues here are twofold. On the one hand, there is a false sense of security with first-generation MFA technologies (such as PUSH, QR, OTP, and SMS). On the other hand, some have little to no confidence in the technology, having been breached even with first-generation MFA in place. As a result, MFA is often deployed more as a box-ticking exercise, and the market lacks confidence.

Fortunately, newer technologies exist, such as passwordless, same-device MFA and decentralized authentication systems like AuthN by IDEE. They address ATO vulnerabilities with three key capabilities: same-device MFA, binding user identity to the device, and implementing transitive trust. This approach transforms the attack vector from infinite to finite, strengthening security and simplifying user authentication.

Despite solutions now available that can prevent all credential phishing and password-based attacks (accounting for 98% of breaches), the industry often relies on outdated paradigms. Passwords are increasingly inadequate due to vulnerabilities and first-generation MFA systems struggle to defend against sophisticated attacks like phishing and credential stuffing.

This 'business as usual' approach to adoption reflects a longstanding trend in the cybersecurity industry, where established practices often lag behind evolving threats. Despite the emergence of advanced threats, many organizations continue to rely on traditional security measures that are increasingly vulnerable.  

Moreover, the risks associated with data breaches and cybersecurity incidents are substantial. A breach can result in financial losses due to remediation costs, legal liabilities, regulatory fines, and reputational damage. The financial impact of a breach can far exceed the costs associated with upgrading cybersecurity defenses. As cyber threats continue to evolve and grow in sophistication, maintaining the status quo becomes increasingly risky.

Which is why it's crucial for the industry to embrace these innovations and move away from traditional, vulnerable methods. By doing so, organizations can significantly reduce the risk of ATO incidents and improve overall cybersecurity resilience.

Who’s Using MFA?

- Everyone but not everywhere: 77% of you are going all-in and using MFA for everyone in your company, though not across all systems. This inconsistency can create security gaps that could be exploited. You are only ever as secure as your weakest link. There is no such thing as ‘good enough’!

- Some People: About 12% of you are easing into it, applying MFA to select folks. Gradual rollouts might leave parts of your organization vulnerable during this transition period. Again, bad actors are looking to exploit any vulnerability and will target the gaps.  

- Not Sure: The remaining 11% are not quite sure who is covered. If that is you, it might be time to do a quick audit, as unclear coverage can lead to unmanaged security risks. You can only improve on what you can benchmark. If you need help with this, please make use of our IAM Security Risk Tool which will provide you with a good idea of where you are now, where you need to be and how to get there! If you’re on a flying visit and just want a quick overview of a typical deployment, we outline the most common deployments and their risks here.  

The Struggle to Deploy MFA is Real

And why are companies not deploying MFA to every user on every system? Well, we heard you loud and clear. Here are the main reasons why:

- It is a Pain to Deploy: Setting up MFA can feel like navigating a maze in the dark.  

- Deployment takes too much time:  IT teams are time poor, and another lengthy deployment project is just not viable

- Costs Too Much: We know budgets can be tight, and MFA solutions can get pricey, especially when it involves having to invest in additional smartphones or security keys.

- User Resistance: Let's face it—some people just do not like change. Many find Multi-Factor Authentication (MFA) disruptive to their workflow. Our market research shows that almost 60% of cybersecurity professionals believe that cybersecurity solutions need to be simplified to gain employee buy-in and ensure effective engagement. However, with the right solution, MFA doesn't have to interrupt routines.

We’ve been listening to these objections for years now but why is the industry so slow to respond? We believe MFA is vital and so do the actuaries – so much so, that MFA is now a pre-requisite of cyber insurance. We also believe it should be so easy to deploy that all you need is an intern with a free afternoon, and so easy to use that all you need is employees who use at least one device. MFA should be for everyone not just large corporations. Unfortunately, our research shows that the industry still has a long way to catch up.  

The Most Common Types of MFA Used

Here is the lowdown on the different types of MFA you are using:

- PUSH Notifications: The crowd favorite, used by 68% of you. It is quick, it is easy, what is not to love? Well, probably that it can be compromised with prompt bombing and adversary in the middle attacks (AiTM).

- OTP/SMS: Coming in second, 24% of you are using this method. One of the simpler MFAs yet can be bypassed with credential phishing and AiTM attacks.

- FIDO2 Security Keys: A choice for 8% of you who in addition to their IT duties need to manage the logistics of delivering and replacing keys to each user.

Our 2023 research showed that despite widespread MFA adoption, a significant number of businesses still experienced breaches. For instance, in the UK, despite 95% of businesses adopting MFA, 56% suffered breaches, with 23% due to compromised or bypassed MFA. This underscores a critical point: popularity and brand recognition alone do not guarantee robust security against sophisticated cyber threats. First generation MFA can only prevent password-based attacks such as brute force attacks.  

Find out how different technologies compare in relation to the MITRE ATT&CK Framework.

User Experience

User experience with MFA presents a mixed bag. Many users find MFA cumbersome and difficult to use, leading to frustration and resistance. Many employees struggle with the usability and deployment ease, often feeling inconvenienced by the additional steps required. Surprisingly, many IT and cybersecurity experts express indifference toward these user concerns, emphasizing that the security benefits outweigh any usability issues. Some even adopt a "deal with it" attitude, prioritizing the necessity of MFA over user satisfaction. This disconnect highlights a significant challenge: the need to balance robust security measures with a user-friendly experience to ensure widespread acceptance and compliance.

Wrapping It Up

The industry must shift its focus from mere compliance to proactive prevention. Why does the industry not have confidence in the products it's using? What needs to change to inspire confidence in security measures?

“It's time for vendors to address the right problems—focusing on prevention over detection. Instead of constantly trying to resolve the problem of passwords, which are inherently broken, we should be solving the problem of account takeover from first principles.” Al Lakhani, CEO & Founder of IDEE. Security professionals need to start thinking seriously about authentication rather than treating it as a compliance exercise.

This is our opportunity to lead the conversation on the importance of advanced MFA solutions. By driving this narrative, we can help shift the industry towards more secure practices and inspire confidence in the adoption of new generation MFA or MFA 2.0.

Conclusion

The research is conclusive. Despite on the surface, what looks like widespread adoption, many companies are still struggling to deploy to all users because most solutions are still too complex, costly and time consuming to deploy to everyone. Users still dislike it. MFA has a bad reputation, and the industry needs to address these issues. Products need to be easier to use, more accessible and most of all, just better when it comes to solving the problems (i.e., taking a first principles approach to security and working out solutions to the real problems, like account takeover. Not endlessly trying to fix passwords and adding more and more factors to an already broken model). Isn’t it time that vendors flip this on its head? Let’s start focusing on prevention. Then maybe the market would take MFA more seriously and not just treat it as a box-ticking task. And maybe then we would start to see the breach trendlines go down too. We really hope be part of the change that is clearly required.  

Ready to See for Yourself?

If you are curious about how AuthN by IDEE can up your security game without the headaches, hit us up! We would love to show you what we can do.

Stay safe out there!

‍