IT pros: Register multiple "second factors"

The second factor of multi-factor authentication – the “something you have” part – is great and all…as long as you have it.

Depending on how terrible your day is going, your tiny YubiKey could get lost in the expanse of your desk; your phone with your backup passwords could get left in the backseat of a cab; or your WFH laptop could get ruined by a giant coffee spill.

Here’s a tip from the pros: Give your teams the chance to register multiple “second factors.”

“One of the things that I often see missed when I see people implement multi-factor authentication,” Johannes Ullrich, dean of research at the cybersecurity research cooperative known as the SANS Institute, told a crowd at RSA 2022 this month: “How are you dealing with lost, broken, stolen second factors? How are you recovering them?”

A common strategy for resetting the lost second factor, Ullrich told IT Brew, are backup codes that can override the authenticator.

“The problem with that, of course, is, well, what if you lose them as well? Because you probably stored them on the same phone,” Ullrich said.

A better idea, perhaps, is to get more phones and keys on the books.

“The best thing you can usually do is allow or encourage users to register multiple second factors,” Ullrich told IT Brew. “So multiple phones, multiple YubiKey devices, and such, as [you] set up multi-factor authentication. Also, allow them to add additional devices later.”

For the IT pro who can’t seem to hang on to keys and tokens, email-based resets are a common solution, albeit one with insecurities. A scammer, for example, could use tactics like SIM swapping to take over a target’s entire phone, including email.

“If I’m an attacker, that’s one of the things that I’m going to test out. I’m going to try and do account resets,” said David Mahdi, Chief Strategy Officer and CISO Advisor at the digital-certificate provider Sectigo, who also emphasized the importance of the second factor.

“If you have other means to get in, it’s just a wise approach, because then it allows for more diversity and, frankly, a better security profile.”

According to an October 2021 investigation from corporate insurance carrier Allianz, the average ransomware payment in the first half of 2021 was $570,000, while the average extortion demand was $5.3 million.

About 80% of ransomware incidents could have been avoided if organizations had followed best practices like MFA, Allianz Global Corporate & Specialty Senior Cyber Underwriter Michael Daum said in the report: “In many cases we find a lack of multi-factor authentication (for remote access on privileged IT accounts, or for remote maintenance), or inadequate training has been a major contributing factor to the loss.”

According to Sophos’s State of Ransomware 2022 report,  66% of organizations surveyed were victims of ransomware in the last year—up from 37% in 2020. The FBI noticed a similar spike: Its Internet Crime Complaint Center received 2,084 ransomware complaints from January to July 31, 2021,  a 62% increase in reporting.

Plenty of services—from Windows Hello to Gmail’s two-step authentication—have multi-factor options. Organizations face the challenge of tying MFA choices together with policy.

“It really is a bit of a messy landscape in managing all the identity products and services to really fulfill that vision of having a nice, tight, seamless identity lifecycle,” said Mahdi.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.