Why Is MFA So Important to Online Security
In this episode of Gone Phishing, Connor Swalm and Nick Wolf discuss the importance of multi-factor authentication (MFA) in online security, explaining that MFA verifies a user's identity beyond just username and password—using methods like push notifications, hardware tokens, and FIDO keys—to protect against unauthorized access by cybercriminals.
Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security, and welcome to Gone Phishing.
Connor Swalm:
Hey everyone. Welcome back to another episode of Gone Phishing. I'm your host, Connor, the CEO at Phin, and today I am joined by Nick Wolf, the director of partner acquisitions at Evo Security.
Nick Wolf:
I'm doing great. Thanks for having me on, Connor.
Connor Swalm:
Thanks for joining and helping me understand some things about security that we are completely unaware of, or at least I'm unaware of at most times. So, quick question. Today we're going to talk about MFA. If you could describe MFA for those that are listening. For those who don't know, what is that?
Nick Wolf:
The dumbed down version of MFA, also known as multi-factor authentication, is really verifying that a user is who they say they are. So is Mary from marketing really logging into her computer as Mary from marketing? Or did the bad guys on the Internet steal her username and password and are trying to act like Mary from marketing or Bob, the CFO, to gain access to data?
Connor Swalm:
I've heard two-factor authentication a lot. What's the difference between MFA and 2FA?
Nick Wolf:
2FA and MFA are really used synonymously with multi-factor authentication. Typically, it's other authentication methods other than just an SMS code, which is more popular with 2FA. We see things like push notifications being able to be approved with MFA, as well as things like hardware tokens, FIDOs, YubiKeys, things of that nature.
Connor Swalm:
Really, anything in addition to a username and a password. What's typically the most recommended or most secure form of MFA?
Nick Wolf:
It comes down to user preference, but we see a lot of our users here at Evo adopting the geolocation push. It's much harder to compromise an application of an MFA vendor than it is a cell phone number. That's why you're going to be seeing in the future a lot of vendors and cybersecurity insurance requirements shy away from using MFA codes as an MFA method due to things like SIM hijacking, MFA spoofing, and things of that nature. Geolocation pushes are definitely the popular choice. For example: "Hey Mary from marketing, are you trying to log in through Tampa, Florida or New York City right now?"
Connor Swalm:
That makes a lot of sense. I get those notifications now with my Google account, but I don't think anything else. So I guess it's on by default for some tools that you use. You bring up a good point about SIM hijacking. We just saw that happen at Microsoft, one of the largest companies in the world. Even companies like Microsoft are vulnerable to things like SIM hijacking.
Nick Wolf:
That's actually one of the reasons why we recommend MSPs and their customers not necessarily use Microsoft Authenticator as their MFA tool. We highly recommend using a different third-party tool, whether it's Evo or another MFA vendor. Not that there's anything necessarily wrong with Microsoft Authenticator, but it's risky to have all your eggs in one basket in case Microsoft gets breached. If Microsoft gets breached again, in theory, your users could be compromised because Microsoft is hosting the username, the password, and the MFA code. That's why you always want to break off that MFA code and have it stored with a third-party vendor.
Connor Swalm:
If you did store that with Microsoft, you're trusting that they stored all of those in such a way that they couldn't be accessible in one location. But maybe that's not the case. MFA sounds incredibly easy to implement. Like it's a text notification, a push notification, an app on your phone, or a little key. If it's simple, why do people find it hard to adopt MFA? Let's start with the MSP, then we'll talk about their client.
Nick Wolf:
It comes down to user easiness. Some MSPs and their users are old-fashioned. They want to log in with their username and a basic password of 12345. They don't want to have to update and rotate that password every 30 days, every two weeks, and have an uppercase, lowercase, exclamation point, number sign added to that password. They want things that are simple. But ultimately, when you have simple passwords and no MFA, you're prone to getting a breach. One of the great statistics I like to bring up is from Microsoft: just by having MFA enabled, that will stop 99.9% of identity and account breaches. So I know that it might seem like a pain, but it's really necessary. From a business standpoint, in the future, and even now, most users and employees are used to MFA because of their personal life. Most banks now require it. If you want to transfer a large amount of money, they'll text you an MFA code. So I think you're going to see it more and more.
Connor Swalm:
Sounds like most people say this is inconvenient, and I don't want to do it.
Nick Wolf:
Yeah, it definitely is. But again, it's for their own good. Who looks forward to security awareness training? But it's something you have to do.
Connor Swalm:
Especially with cyber insurance and regulation and new compliance frameworks coming out. What I see happening is not only for MSPs, but for smaller and smaller businesses, all the way down to two or three person companies, you're going to have to be buying cyber insurance. You're going to need some partner to do that, because if you're running a small business, you have all the expertise to do that, but you don't have the time, energy, money, or knowledge to know what a good security partner would be and how to choose them properly.
Nick Wolf:
That's why a lot of small businesses really rely on their managed service provider to get that type of expertise.
Connor Swalm:
In one of our previous podcast episodes, I mentioned that I used to do a lot of presentations for small business development centers. Most of the existing knowledge level of people who are running small businesses and joining my side, mine was aimed at beginners. I'd give three things to do, and if you do these three things, you are in an infinitely better spot. One of them was MFA. Inevitably, I'd have people ask, "No, that's inconvenient. I'm not doing that. I'm not going to have my phone with me, or the little key, or I don't want to get a text message. I'm okay." Then I would always go through this analogy: Raise your hand here on this call if you run your entire life through your personal email, and then more than half of the room raises their hand. "How many of you don't have MFA on that?" I know it's more than half. So you're telling me if somebody can guess your password, which you probably made this account 13 years ago, and your password is something along the lines of your dog's name, the year you were born, and the letter J or something, that's not a very secure password. Your entire life would be upended until you could get that account back, just because you don't want to use MFA. Just because your password gets hacked doesn't mean your MFA got hacked. Sometimes that is the last line of defense because of the amount of breaches that occur that your passwords get rolled up into.
Nick Wolf:
There's a reason why when you go to a bank or an ATM, your card isn't good enough. You need your ATM pin code as well. Without having MFA, it's like basically just having your ATM card, swiping it, and here's as much money as you want, versus having that MFA code enabled as your ATM pin—only you should know it.
Connor Swalm:
If anyone calls you and says, "I need your password to help you with X, Y, or Z," get off the phone. It's your password, it's not theirs. So, a question I have around the implementation of MFA: I remember a day when enabling MFA was basically, you had to enable it on each individual tool, and then each individual tool would have its own way to do it. Is there a unified solution?
Nick Wolf:
It depends on the MFA vendor that you're working with. Some MFA vendors do consolidation and single sign-on. With my MFA platform, you sign in once, and once you're logged into that MFA session, you could sign into your laptop, your server, your Office 365, your Google apps, your firewall—really everything that's on the network. Several years ago it was more spread out: this application was doing it via text, this application via this app, etc. A lot of SMBs and their MSPs are looking to standardize, so definitely pick an MFA vendor that offers that sort of consolidation.
Connor Swalm:
That makes a lot of sense. That also sounds like it cuts through the "this is inconvenient" argument. When MSPs are trying to roll this out, what advice would you give to them? If their clients are coming to them and saying, "We're not doing this," how would you suggest that MSP work with that person?
Nick Wolf:
A lot of MSPs are now making MFA a part of their standard cybersecurity stack. If you're going to be my customer, you're doing cybersecurity awareness training, installing EDR/XDR antivirus, using some sort of email security/phishing product, using MFA, using this core stack. If you're not using this stack, then you're not a customer of mine. Making MFA mandatory is going to save the MSP in the long run. It's also going to help the end user qualify for things like cybersecurity insurance. When you're turning on MFA, you need to turn it on for all users, for everything that's on the network. Don't just turn it on for Bob the CEO logging into his laptop. Turn it on for everybody, whether it's Bob the CEO or Mike the janitor. And don't just do it for one application. Do it for everything: servers, workstations, web applications, firewalls. Otherwise, your cybersecurity insurance claims are likely to get denied. For example, travelers insurance denied a cybersecurity insurance claim because the end user had MFA enabled on the firewalls, but the attack happened on the servers, and there was no MFA on the server. The attackers got the username and password of the server, extracted data, installed ransomware, and the insurance claim got denied. So turn on MFA for all users in all places.
Connor Swalm:
All users, all places, all the time. A good friend of mine, West Spencer, talks about cyber insurance a lot. He mentioned a thing called a carve out, basically like, if you do any of these things, there's no shot we're going to pay out your policy. Are you all at Evo dealing with any cyber insurance stuff right now? Do you have any guidance for your MSP partners?
Nick Wolf:
Just by having MFA enabled, it will definitely help you out with your cybersecurity insurance policy, as well as help you meet CIS controls. We're more than happy to help, but we are not a cybersecurity insurance vendor. We're an IAM vendor, but we're happy to add our expertise wherever we can in those conversations.
Connor Swalm:
For those listening, CIS is the Center for Internet Security. It is a cybersecurity framework that's self-attested—basically, rules that you can decide to implement and measure up to, and it's best practice according to a lot of people. I've mentioned it a bunch of times on separate episodes of the podcast. There are five main things required by cyber insurance policy today: MFA, immutable backups, EDR, managed AV, and awareness training. Those five things are required by all cyber insurance policies that most people see today. MFA is one of them. There's a reason these aren't just pulled out of a hat. Well, they might have been initially, but actually it looks like they're not.
Nick Wolf:
It goes back to the statistic: 99.9% of attacks will be blocked just by having MFA turned on, per Microsoft.
Connor Swalm:
That's absolutely right. A lot of cybersecurity attacks and the resulting breaches are just crimes of opportunity. A statement I made in one of our last podcast episodes is: be the second slowest person when you're running from a bear. Somebody else is going to be slower. Congrats. You made it through the filter. You're fine for now. For folks that are listening, what's one last piece of advice you'd like to leave them?
Nick Wolf:
My last bit of advice is: make sure you're setting a complex password because your password is your first line of defense. Make sure you're having MFA installed as your second line of defense. If someone calls you and is trying to offer you support over the phone, but they need your username, password, or MFA code, do not give it to them. Nobody's ever going to ask for it. The only place that you should be inputting your MFA code is on the actual website that you and only you are trying to access.
Connor Swalm:
Do not share your credentials at all. Thank you for that piece of advice. And thank you so much for joining me, Nick. We didn't even get time to talk about privileged access management or PAM. Would you like to come back on another episode of the podcast and talk about that?
Nick Wolf:
Sure. Please have me on.
Connor Swalm:
Awesome. Well, Nick, thank you so much for joining me once again. To everyone listening, I'm Connor, host of the Gone Phishing podcast. Thanks for joining.
Nick Wolf:
Thank you.
Connor Swalm:
Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out at Phinsec IO. Thanks for fishing with me today and we'll see you next time.