As global cybersecurity risks abound, multi-factor authentication (MFA) is one of the most effective ways to protect access and prevent breaches. While MFA has gained momentum over the past two years, it’s still not in widespread use. Why? For MFA adoption to really take off, organizations need to understand the real value of MFA and how to effectively implement it.
The Tech Giants Trying to Make MFA Mainstream
Outside of work, most people ignore the option of two-factor authentication (2FA) or are reluctant to enroll in 2FA for a few common reasons: misplaced confidence in passwords, frustration or confusion about setup or pure laziness. Less than 10% of Google accounts have two-factor authentication enabled, and only about 12% of Americans use password managers.
This has driven many tech giants to make MFA mandatory: Salesforce now requires MFA, Google is making 2FA compulsory for all users and Amazon.com Inc.’s Ring made 2FA mandatory in 2020.
Why Are Organizations Slow to Adopt MFA?
Unfortunately, the same attitude exists in the workplace, with enterprise MFA adoption still low.
Organizations often believe common MFA myths, seeing MFA as a tool only for:
- The largest organizations, or
- The most privileged of accounts: Windows admin accounts, Active Directory service accounts and anything that has rule over a major part of the network environment.
Yet, MFA is equally important for both small and large organizations. No matter the size of your organization, your data is equally sensitive and should be equally well protected.
Whether or not MFA should be only for the most privileged accounts merits a closer look.
To Raise MFA Adoption Rates, Take a Fresh Look at Security
Let’s start with a look at the security approach behind the idea of “privileged accounts.” Securing the login is the first step to making privileged access management (PAM) work. Each organization has a different balance, but you’ll reduce risks by extending security down the “non-privileged” path as possible.
In the old-school, perimeter-based security approach, we didn’t talk as much about the security of the “average” user account. However, the focus has changed thanks to the en-masse shift to remote work and many organizations’ rapid transition to a hybrid environment spanning both the corporate network and the cloud.
The Principle of Least Privilege Is More Relevant Than Ever
The principle of least privilege – the practice of limiting user access to only sets of data, applications and systems that they absolutely need – has been around for years (Microsoft wrote about it in 1999). Because the threats of attack today are even greater, least privilege is more pertinent than ever to an organization’s security strategy:
- External attacks leverage user accounts to gain control over endpoints, move laterally within the network and, ultimately, acquire targeted access to valuable data.
- Insiders leverage their own granted access or other compromised accounts to leverage data and applications for malicious purposes.
See, least privilege isn’t actually about privilege. It’s about the compromised use of a “privileged” account. So, one of the key aspects of a least privilege strategy is to monitor the use of privileged accounts.
The Key: Monitoring All Account Access
Privileged access management (PAM) is viable for monitoring truly privileged accounts, like Active Directory administrator accounts. Yet, it doesn’t serve the purpose of monitoring activity for every user in the organization.
One pivotal point of access provides organizations with crystal clear indicators that an account is either being properly used or has been compromised: the logon.
Apply MFA to All Accounts
For the modern organization, the real value of MFA is in protecting any account with access to critical data, applications and systems. Since every user has attributed access rights and privileges, all users are some sort of privileged user.
Tips for Deploying MFA
Preparation is key! Applying MFA to all users demands more planning than if you apply MFA to only privileged accounts. Whatever the size of your company, here are six key points to remember before you deploy MFA:
- Securing logins significantly improves your security stance
- MFA is not just for privileged users
- MFA doesn’t have to be frustrating for IT departments
- MFA must balance user security and user productivity
- Educate and empower your users to support MFA
- Management commitment and buy-in are key
Unleash the True Value of MFA
Truly increasing MFA adoption requires a more fundamental shift in the organization’s security posture. The more organizations understand the value of applying principles of least privilege and privileged account management to all accounts, the more they will understand the advantage of securing logins across all users. Organizations will put more effort into finding a balance between employee productivity and security. When they do, get ready to see the demand for granular, customizable MFA explode.
