MFA 'Promises Land'

Eoin Higgins of IT Brew, quoting Microsoft’s VP of identity security, Alex Weinert

“Multi-factor authentication is one of the most basic defenses against identity attacks today,” Weinert wrote, adding that the 28% adoption rate was confounding and had the expected reaction from hackers: “With such low coverage, attackers increase their attack rate to get what they want.”

The difference in numbers is stark: Where those unprotected by MFA see thousands of attacks per second, users with the security measure experience a relatively low amount of tens of thousands of attacks per month. Weinert said he recommends Microsoft users take steps to protect themselves beyond simply any multi-factor authentication and use products like Microsoft Authenticator, Windows Hello, and FIDO.

Ignorance is Bliss

Do you know who doesn't see all those attacks?

Your users.

Oh, sure, Ops see them. If you're large enough, the Sec Team absolutely sees them. The CISO probably shitting a brick.

For those with MFA enabled, your users see an annoying extra step and don't know, remember or care why 'IT made it even harder to log in.'

Then there are those who haven't yet implemented or can't for some reason. Good luck come your next cyber insurance renewal.

Offering 'Win Win' Security

I can only speak for my experiences dealing with my users in my environment. They think MFA is dumb. An extra hurdle to jump over. This 'damn thing Luke makes me do.'

I was only able to start to build trust (and traction) once we started to train, teach, and listen.

  • We reevaluated our password policy.
  • We looked at complexity rules.
  • We looked at the different factors and considered input from HR, Legal, and the various Business Units.

Too many security folks view themselves as 'the shield,' but their users view them 'as the sword.' Once we started implementing things like password less, auth, windows hello, biometric auth, etc., the next result was... "you know, I like not having to remember this crazy password all the time."

Never forget.

We exist to empower the business and drive value. We do that via security, IT operations, and support. Not in spite of it.