MFA Resilience: Avoiding Single Points of Failure

TL;DR

Yes, many current multi-factor authentication (MFA) methods *do* rely on single points of failure. This guide explains how to improve your MFA setup for better cyber security by diversifying your options and planning for disruptions.

Improving MFA Resilience

Most MFA implementations today centre around SMS, authenticator apps or email codes. While better than nothing, these all have weaknesses. Here’s a practical guide to making your MFA more robust:

1. Understand the Risks

• SMS Interception: SIM swapping attacks can steal SMS-based MFA codes.
• Authenticator App Issues: Device loss, theft or app glitches can lock you out. Recovery processes aren’t always smooth.
• Email Compromise: If an attacker gains access to your email account, they can bypass email-based MFA.
• Vendor Lock-in: Relying on a single MFA provider creates dependency and potential disruption if *they* have issues.

2. Diversify Your Authentication Methods

Don’t put all your eggs in one basket! Offer users multiple MFA options:

1. Authenticator Apps: Google Authenticator, Microsoft Authenticator, Authy are common choices.
2. Hardware Security Keys (FIDO2/WebAuthn): YubiKey, SoloKeys offer strong protection against phishing and SIM swapping. These use cryptographic keys stored on the device.
3. Backup Codes: Generate a set of one-time use codes to be stored securely offline.
4. Biometrics (where appropriate): Fingerprint or facial recognition integrated with hardware security keys or devices.

Example of generating backup codes (using Google’s 2-Step Verification settings – process varies by provider):

Within your account security settings, look for 'Backup Codes'. Generate a new set and download/store them securely.

3. Implement Passwordless Authentication

Passwordless methods reduce reliance on passwords *and* MFA codes:

• FIDO2/WebAuthn: Using hardware security keys as the primary authentication factor.
• Passkeys: A newer standard storing credentials securely on devices (e.g., Apple iCloud Keychain, Google Password Manager).

Note: Passkey support is growing but isn’t universal yet.

4. Plan for Recovery Scenarios

1. Self-Service Reset: Allow users to reset MFA if they lose access, *with* strong identity verification steps (e.g., knowledge-based questions, proof of ownership).
2. Admin Recovery Process: Define a clear process for administrators to assist users who can’t recover their accounts themselves. This should involve multiple levels of approval.
3. Emergency Access Accounts: Create highly secured emergency access accounts with separate MFA configurations (and limited privileges) for critical situations.

Example of checking recovery options in Microsoft Entra ID:

In the Azure portal, navigate to 'Users' -> [User] -> 'Authentication methods'. Review registered methods and recovery phone numbers/emails.

5. Monitor MFA Usage & Security Events

• Failed Login Attempts: Track repeated failed MFA attempts as a sign of potential attacks.
• New Device Registrations: Alert on new devices registering for MFA, especially from unusual locations.
• MFA Method Changes: Monitor changes to users’ registered MFA methods.

Use your SIEM (Security Information and Event Management) system or security logs to detect anomalies.

6. Regularly Review & Update

• Vendor Security Practices: Stay informed about the security practices of your MFA providers.
• New Threats: Be aware of emerging threats targeting MFA (e.g., advanced phishing techniques).
• Technology Updates: Keep your MFA software and hardware up to date with the latest security patches.