Problems with Multifactor Authentication

Roger Grimes on why multifactor authentication isn’t a panacea:

The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in. It turns out that the VP had approved over 10 different push-based messages for logins that he was not involved in. When the VP was asked why he approved logins for logins he was not actually doing, his response was, “They (IT) told me that I needed to click on Approve when the message appeared!”

And there you have it in a nutshell. The VP did not understand the importance (“the WHY”) of why it was so important to ONLY approve logins that they were participating in. Perhaps they were told this. But there is a good chance that IT, when implementinthe new push-based MFA, instructed them as to what they needed to do to successfully log in, but failed to mention what they needed to do when they were not logging in if the same message arrived. Most likely, IT assumed that anyone would naturally understand that it also meant not approving unexpected, unexplained logins. Did the end user get trained as to what to do when an unexpected login arrived? Were they told to click on “Deny” and to contact IT Help Desk to report the active intrusion?

Or was the person told the correct instructions for both approving and denying and it just did not take? We all have busy lives. We all have too much to do. Perhaps the importance of the last part of the instructions just did not sink in. We can think we hear and not really hear. We can hear and still not care.

*** This is a Security Bloggers Network syndicated blog from Schneier on Security authored by Bruce Schneier. Read the original post at: https://www.schneier.com/blog/archives/2021/10/problems-with-multifactor-authentication.html

Recent Posts

Zero Trust Meets Insider Risk Management

What do Jack Teixeira, Joshua Schulte, and Korbein Schultz have in common? All three worked for the federal government in…

4 hours ago

Unleashing the Power of AI in Data Security and Compliance Through Advanced Data Discovery

Data protection is the bedrock of good cybersecurity posture. But the foundation of data protection is discovery and classification. As…

10 hours ago

Longtime Security Industry Leader Art Coviello Joins Netography Board of Director

Netography®, the security company for the Atomized Network, today announced that Art Coviello joined the company as its newest Board…

13 hours ago

7 Reasons Why Vendor Platform Security Is Not Enough

Securing IT assets demands continuous effort from both technology vendors and purchasing organizations. Vendors must deliver secure offerings with timely…

16 hours ago

What Are Conversation Overflow Cyberattacks and How Do They Work?

AI has been instrumental in the fight against cybercrime. Machine learning algorithms are far more...

16 hours ago

How to Migrate AWS PostgreSQL RDS to Aurora Using Terraform

6 min read This summary covers key migration steps, Terraform integration, and strategies for handling costs and backups. The post…

16 hours ago