'Caveman, cumbersome and clunky' - Is multi-factor authentication fit for purpose?
MSPs lay out the flaws with multi-factor authentication and why there's room for huge improvement
With more cybersecurity threats out there than ever before, the industry should be encouraging multi-factor authentication (MFA) across the board. Basic login credentials are so easily obtainable for threat actors that MFA is a standard to which MSPs should all be adhering across our accessible accounts and platforms.
But in reality, is MFA as it stands today fit for purpose? For MSPs in particular, who are accessing multiple vendor platforms at any given time, is MFA a realistic (prospect for entry into each platform?
With MSPs telling us that MFA can be "clunky" and "cumbersome", an alternative and more streamlined approach to accessing all these vendor applications may help tackle the MFA burden. But as things stand, there isn't one - and MSPs aren't necessarily in agreement as to whether there could be one that is efficient as well as secure.
I'm limited vendor by vendor by whatever those vendors provide. And most of them are just providing very, very basic, caveman MFA
Exactly how clunky and cumbersome MFA is depends on who you speak to. Some point out that the sheer number of login credentials MSPs are handling is having an impact on security, while others note that some vendors make it much easier than others.
"MFA can be cumbersome," Chris Brenes, director of IT and security at Fort Myers, FL-based Entech Solutions, told CPI. "We have multiple platforms that we use MFA against [and] it feels clunky the way it exists today. There's got to be some sort of change because MFA is becoming a requirement in today's world."
Some vendors aren't up to scratch
According to James White, managing partner at Princeton, NJ-based Mainframe IT, MFA is a particularly laborious process when employees either join or leave an MSP.
"Every multifactor experience for a lot of different vendors is a little bit different, and they all have different advantages and disadvantages, but at the end of the day, the problem is that as employees come and go from an organization, going back and cleaning up all those accounts is often impossible," White told CPI.
"Anybody who's got a lot of employees will have all these different vendor accounts, and you really want to be able to provision and deprovision those accounts off quickly, especially on the deprovisioning side. You've got to shut off access to everything fast."
As well as the multiple logins your staff may have, some vendors are operating MFA a lot more effectively than others, Brenes told CPI.
What this can mean is that, regardless of whether MFA in and of itself is cumbersome or not, trying to effect it within an organization is a lot easier with some vendors than it is with others, which for security leadership can mean time and effort spent on trying to get staff to activate their MFA credentials.
"Some vendors are very good - they allow you to go to a spot in your account and check a checkbox and it enforces multifactor for every new user, and the user has to set it up right then. But then you have other vendors that don't even give you that option. Some have MFA capability, but users can still log in without it."
What this means is that security leaders have to monitor their environment to see who is using MFA and who isn't - building reports and monitoring user behavior, all of which is extra (and unnecessary) work.
And this, of course, multiplies whenever a vendor comes on board that doesn't have an automatic MFA requirement.
"I've had to take additional steps to support one vendor to ensure we have MFA enabled for our entire user base. But then as you add other vendors that are in the same boat, now you've got to come up with ways to manage those as well," Brenes said.
On top of this, using MFA can mean numerous passcodes, which Brenes points out are necessary to log into the various vendor applications MSPs have.
Security is not convenient, and so the more convenient you make it, typically there's a tradeoff and that comes in terms of security
"As I log into applications, I've got to get the codes up and I've got to find the right code. In some cases I have admin accounts and so I may have a code for my admin account that is different than my code for my normal user account but they look the same, so I've got to deal with that also. Obviously you can get in and rename them, but they still look similar. So it's just clunky."
He adds that even when you centralize such processes with one of the solutions designed for this very purpose, it can still be difficult to manage.
"The solutions allow you to turn on or off access for your user base, but it's still tough to manage, especially in the MSP world where we've got so many different vendor accounts. It's tough to scale when you've got to deal with a bunch of different vendors that aren't supporting it in a ubiquitous way."
White agrees, adding that you're only as secure as each vendor's MFA login process. For example, for MSPs using Microsoft Azure Active Directory (AD), there is the option of using a FIDO2 security key to further enhance security, but other vendors may not have this extra level of security.
"I'm limited vendor by vendor by whatever those vendors provide. And most of them are just providing very, very basic, caveman MFA," he said.
Is single sign on the future?
For White, the solution to this is single sign on with one of the giant identity providers, such as Microsoft Azure or Google Cloud. Being able to sign in to all your vendor accounts in this way would prevent having to deal with the differing security levels different vendors offer, as well as help manage significant change management issues MFA can bring, he told CPI.
"We've got that many login IDs and passwords - there are literally hundreds - and if all the different vendors that we deal with were supporting single sign on, my employees could log in across the board with their Azure AD accounts. That way I'd only have 50 usernames and passwords. That's hundreds versus 50 - much easier to manage."
Chris Bradley, VP of managed services at Memphis, TN-based ProTech Services Group, notes that single sign on is a "nice idea", but he's not sure it's a realistic proposition - at least not yet.
"A lot of applications do authenticate to AD so you may have a business where 100 percent of their apps could authenticate to it and then you can run multi-factor authentication with Radius to AD, so yes, that would work… but there are still so many different systems out there [and] not all of them can authenticate at the same type of pace as AD."
This is not the only issue that the single sign on across applications faces. If you use single sign on to get into all your vendor accounts, it leaves you at risk of putting all your security eggs into one basket. Single sign on to everything means a hacker only needing one set of login credentials to get into your entire vendor inventory, running the risk of significant exposure.
"I don't know that I can get excited about single sign on globally for every system because of the security concern," Brian Baird, director of security services at ProTech, told CPI. "Once you have it, it's the keys to the kingdom. Yes it may be easy, but easy is normally the opposite of secure - those two things are usually opposing ideas, opposing forces."
Entech's Brenes adds that single sign on for all vendor platforms is a "double-edged sword".
"You want to provide some convenience for your users so that they're more apt to use it, not complain and get their jobs done, but at the same time, I think you should, at the very least, take some care on what you add into a central portal like that. Security is not convenient, and so the more convenient you make it, typically there's a tradeoff and that comes in terms of security."
White, however, thinks single sign on has the opposite effect. His view is that by having a single sign on, the second you discover a user has been hacked, you can shut them down across every vendor account in one shot by shutting down their single sign on.
"That's the whole thing - when you shut the user down at the Microsoft level, you shut them down across every single vendor account that's using single sign on. So if you're protecting the user with full MFA at the AD level and then adding FIDO2 keys on it, and everything else Microsoft offers, including technologies it's developing where suspect user behavior can trigger an account shutdown, [single sign on can work]."
Baird, however, is not convinced. He thinks the concept of single sign on for all goes against the basic principle of zero trust security. He also argues that MFA is not so onerous as to need single sign on to reduce the burden.
"Zero trust means you can't just authenticate into a system and then forever you're trusted and life is good. There are behaviors that you have to look at. There are all kinds of things under that multi factor. It's not just who you are and what your password is, it's what are you doing? How long are you in there? Where are you accessing it from? And I don't agree that MFA is so laborious that single sign on is the next evolution or something that you would have to do to make all of this easier. I don't agree with that premise. I don't think it's that difficult right now."
More news
In the IT channel, what's partner loyalty made of?
Some say performance, others say money but it may be systems and processes that carry the day
Dell mulls buying the rest of Secureworks - reports
Secureworks stock jumped almost 16 per cent yesterday, amid M&A rumours
Dell Germany has a new boss
Management switch comes after vendor giant's CCO recently announced his unexpected retirement
WatchGuard expands into the Nordics with Infinigate
Network security player is on a partner recruitment drive in the region
