I’ve Turned on Multifactor Authentication (MFA). Now What?

Cyber, Property & Casualty, Risk

In the 12 months preceding Palo Alto’s Unit 42 Incident Response Report, 70% of the cases they worked on were ransomware or business email compromise (BEC). Further, two of the top 3 access vectors that attackers used are related to usernames and passwords, specifically credential phishing and brute-force credential attacks. A critical control that could have either stopped or led to detection of these events in 50% of the cases is multi-factor authentication (MFA).

As we’ve seen in the cyber insurance industry, MFA has now become a standard control that just about every carrier wants in place before offering coverage.

You may be thinking, with MFA turned on, my organization is no longer vulnerable to these types of attacks, right? Unfortunately, cyber criminals are ceaseless in their ventures to steal money, data, or resources, and they have found ways to work with or around the MFA systems that organizations have put in place.

MFA Fatigue

In just the past few months, we’ve seen multiple large organizations who had MFA required for access to their systems face breaches. Hackers have found that if they continuously bombard a user with the push notifications that are very common in many of today’s MFA solutions, at some point the user will click “allow” to make the notifications stop. This is known as “MFA fatigue”, and we are starting to see an increase in this methodology used to bypass MFA.

Legacy Protocols

As organizations continue digital transformation initiatives, they often have older systems that would be costly to replace, but are necessary in their day-to-day work. An example that is in wide use by businesses is copier/scanner/printers that have scan to email capabilities. These systems were not originally designed to use MFA to create a connection to send those documents via email. As companies move to cloud-based email systems, these devices continued to use a username and password combination, known as basic authentication. Cyber criminals could take advantage of these accounts and use them to conduct phishing attacks.

What can I or my organization do?


Once MFA is implemented, its use and things to watch out for, such as MFA fatigue, should be part of an organization’s security awareness training program. An employee should feel comfortable knowing that if they start to receive a large number of MFA notifications, they should immediately inform their IT or security departments.

IT Inventory

An organization should have an inventory of all hardware and software that is used for their business purposes. In doing so, they can be aware when security vulnerabilities that apply to those technologies are released. Additionally, they can better understand the situations where security risks may need to be accepted to maintain business operations, while planning for how to mitigate those risks.

Starting this month, Microsoft will deprecate/disable basic authentication in Exchange Online as a default setting, however organizations can still keep it enabled to support situations where MFA is not supported. Organizations should be aware of, and monitor, those accounts that don’t require MFA.

Other MFA solutions/options (FIDO, no push notifications)

Besides push notifications, there are some other MFA solutions that can be used in organizations. Two of the best alternatives are:

  • Code Generator: You have either a hardware token or mobile application that generates a new unique code that is used to log in. This code is only good for one login before a different code would be required. A common example of this is Google Authenticator.
  • Fast Identity Online (FIDO) Universal 2nd Factor (U2F): This is a hardware device that either plugs into your USB port or uses Bluetooth to connect to your computer. When you need to log into a system, you connect this device to your computer to complete the 2nd factor of an MFA prompt. This is the most secure version of MFA, but the most complex to implement. An example of this is a Yubikey.

Cyber insurance companies are requiring multifactor authentication (MFA) in many instances in order to offer coverage. However, cybercriminals are finding ways around basic MFA methods in order to obtain your organization’s information. Now is the time to reach out to your M3 account executive to discuss your current cybersecurity risk management protocols, as well as your cyber insurance coverage.

Back to Insight Center