Compromised user credentials remain one of the primary attack vectors used in data breaches. This is true for traditional on prem services and the cloud. Software as a Service (SaaS) infrastructure is at even greater risk due to the nature of the availability to “anyone and anywhere” design. 

Options for protecting SaaS environments in the past included IP restrictions and backhauling traffic through a VPN, this offers security professionals some assurance that the end point and the connection are secure, thus reducing the attack vector of a stolen credential.  This model has all but fallen by the wayside in the Work from Home Movement.  As a result, the most effective security tool available remains Multi-Factor Authentication.  Multi-Factor Authentication (aka Two Factor) is a combination of two of the following:

• Something you know: a username

• Something you have: a key fob, smart card, one time PIN, etc.

• Something you are: biometrics

Many of us are familiar with Multi-Factor, but as a Security Professional I’m always amazed (dismayed) by the arguments people have against MFA.  “It’s too hard/slow to enter a PIN AND a Password”.  “I don’t want to carry a key fob”.  “Enrolling my phone is too much of a hassle”.  The excuses go on and on.  Those of us with responsibilities in Identity Management can agree the perceived inconvenience is insignificant compared to the risk MFA helps address.  For those of us who struggle with generating the support for widescale deployment consider these options.

• Consider a Cloud-based IDP (Okta, PING, Azure, etc) and advertise the efficiencies users will gain from accessing “All” their corporate cloud applications from a single location.  In fact, they will no longer need to keep up with multiple passwords and the number of times they enter a password will actually decrease!

• Consider different policies for different use cases.  Privileged users probably need to be challenged more aggressively than an intern with little access.  While it’s easier to manage a one size fits all policy, the initial juice may not be worth the squeeze.  Once the platform is established you can tighten the policies and likely face less resistance.

• Consider Adaptive MFA.  Knowing context about your user, their role, the application and geography may allow you to be more lenient when a user is on the corporate network and more stringent when they are traveling overseas.

• Offer multiple factors.  You will always have a user who doesn’t carry a cell phone, doesn’t have an email address or doesn’t want to receive text messages.  Most IDP’s give you the option to choose a combination of text, push notification, phone call or email.  I’d argue any additional factor is better than just username and password.  Let the users choose what works best for them.

• Require a secondary, second factor. What does that mean? Users will change phone numbers, loose devices, etc.  Make sure there is a back up for this eventuality.  Enable and Authenticator App AND email.  If I forget my phone I still have another option to get access.

• Be sure you can explain to stakeholders what is really at stake with a stolen credential.  Have some examples of just how easy it can happen, particularly with users increasingly accessing insecure networks using unmanaged devices.  When all else fails, a controlled MITM demonstration can work wonders.

• With the increased visibility of data breaches, Senior Leaders have a responsibility to demonstrate Due Care.  If they don’t there may very soon come the day that they are held personally responsible.  Multi Factor has become table stakes in demonstrating organizations are taking the threat of Cyber Crime serious.