Skip Navigation

September 11, 2023 |

MFA and passkeys: Why a password is not enough

Last updated: January 19, 2024

Loading table of contents...

Business user accounts give employees access to sensitive resources such as emails, intellectual property, personnel files, and other potentially private information. To protect these resources, it’s important that only those authorized to access an account can.

There are a wide range of ways to control account access—from simple methods like passwords to sophisticated ones like specialized hardware devices. All methods share the same purpose: require the user to prove something unique about themselves that couldn't apply to anyone else.

As with all security policies, there needs to be a compromise between convenience and security. Good account access controls provide adequate account protection while not unnecessarily increasing the amount of effort from an authorized user.

For example, passwords are a relatively low-effort way to secure authentication. And promising new methods, such as passkeys, often require even less effort. In some cases, though—especially where highly sensitive resources are involved—a high level of user effort may be needed.

The inadequacy of passwords

Most accounts require the use of a username and password combination to authenticate. This is a form of single-factor authentication. The idea is that only the true user of the account knows the password associated with their username, and so only that user can access the account as long as the password remains a secret.

Unfortunately, keeping a password a secret is not always possible. Threat actors often try to guess passwords via brute force attacks (attempting each of a long list of common passwords) or password stuffing attacks (attempting to use passwords revealed from a user's other accounts when they are compromised), both of which are surprisingly effective.

History shows that users consistently use weak passwords or share passwords across multiple accounts, including accounts that have already been breached. This is despite the best efforts of training material and minimum password requirement checks.

But even using strong passwords does not adequately protect accounts. In fact, the use of single-factor authentication is specifically listed as a bad practice by the US Cybersecurity and Infrastructure Security Agency (CISA)

While a password should only be known by the authorized user, they could be known by anyone, and don't secure accounts as well as other authentication methods.

Defense against phishing

Relying on passwords is also insufficient in defending against phishing and social engineering attacks. These techniques commonly attempt to convince users to provide their credentials to a threat actor, often unknowingly. When these credentials are the only access control in place, this easily results in account compromise.

While user training, warning messages displayed in email clients, and similar phishing protections can help to reduce the likelihood of a user being exploited by this type of attack, these techniques will never prevent all phishing attacks. In fact, it is likely that the success rate of phishing attacks will drastically increase as threat actors adopt the use of Large Language Models to generate convincing and highly targeted text.

Are you prepared for tomorrow’s threats?

Dive into the past, present, and future of cybersecurity with The State of Cybersecurity eBook.

Download now

So instead of relying on users identifying and defeating phishing attacks, what if we could provide account access by a method that couldn't be accidentally given away?

Securing accounts with MFA

Multi-factor authentication (MFA) requires a user to provide more than one type of authentication to access an account or resource. MFA takes user authentication to the next level, making it easy and convenient for authorized users to access an account but very difficult (ideally impossible) for anyone else to.

How multi-factor authentication works

The premise of MFA is that simply knowing a secret that only the authorized user should know is not enough to prove identity. A user should provide at least one additional “factor” of identification that only the authorized user could provide—emphasis on the word could!

The ideal factor should not just be unknown to an unauthorized person; it should be impossible for anyone other than the authorized user to provide the factor regardless of what they know. Factors may include:

Something you know

This is the factor used for password-based authentication: the user must prove that they know a secret that no one else should know in order to authenticate. Other examples include account security questions, a Personal Identification Number (PIN), or a passphrase.

Something you have

This is a physical object that only the authorized user should be in possession of. Examples include a phone (with an authentication app), a USB device, or a smart card. Proof is normally given by attaching the device directly to a computer or by copying a single-use code from the device.

Note: In some cases, single-use codes can be bypassed by sophisticated malware toolkits. This method somewhat walks the line between something you have and something you know. Businesses at higher risk of this type of compromise should consider using dedicated hardware authentication devices.

Something you are

These are things related to your physical person, such as biometrics (retina scans, fingerprints, facial recognition). This type of factor is normally the most difficult to steal or compromise but generally requires complicated and expensive biometric measuring infrastructure to implement. It is, however, becoming more common on consumer devices, such as smartphones.

Somewhere you are

This authentication factor is closely tied to the security of physical assets and typically includes physical security restrictions. For example, having a user access a locked room or pass through physical security checkpoints to physically gain access to a resource.

This factor may also be enforced via Conditional Access Policies preventing authentication from outside an expected list of cities or countries. While this is a good security practice, it’s generally not specific enough to an individual user to be considered a true implementation of multi-factor authentication.

Some way you act

While this factor is less commonly used as a primary means of authentication, it’s often used to verify expected account use patterns.

This may involve the locations or times a user normally authenticates from, or other related behavioral patterns, to recognize when someone who authenticates does not appear to be the normal user.

Replacing passwords with Passkeys

Instead of adding an additional authentication factor on top of a password, many organizations are looking to replace passwords altogether with authentication factors that are both easier to use and more secure. One method beginning to gain traction is Passkeys, which allows a user to access their accounts by authenticating to a pre-set smartphone or similar device instead.

Passkeys inherently provide MFA: something you have (the mobile device), and something you are (biometric authentication to the device, such as fingerprint unlocking). Passkeys are also well protected against phishing as a user won’t knowingly give away their device and can’t give away their fingerprint.

As an added benefit, the mature and convenient authentication methods typically offered by mobile devices allow passkeys to provide a better user experience and better security than passwords.

How secure is MFA really?

Since 2019, Microsoft has claimed that MFA can block over 99.9 percent of account compromise attacks. While they don’t expand on exactly which types of MFA are considered in the claim, Google published some more specific statistics on the effectiveness of device-based MFA in a blog, proving that these methods can be extremely effective at preventing even sophisticated and targeted attacks.

While MFA is not a magic solution to all account compromise, the impressive statistics certainly make it clear that enabling MFA on an account very drastically reduces the likelihood it’ll be compromised. 

MFA bypass techniques

As MFA use increases, threat actors have started developing techniques to bypass MFA protections in some cases. The most seen techniques for bypassing MFA are:

Authentication proxy

Threat actors may deliver a phishing email prompting a user to authenticate to a legitimate account but proxied in a way that allows the threat actor to see and steal sensitive information being transferred, such as single-use authentication codes.

This risk can be somewhat mitigated with MFA that leverages a hardware device rather than a single-use code or another method that could be accidentally given away. Sophisticated threat actors may still be able to steal an authenticated session token to bypass hardware MFA.

Many accounts can be configured to require frequent re-authentication, including when the user's device or location changes. For example, this can be configured in Microsoft Azure AD by enabling Continuous Access Evaluation.

Legacy network protocols

Many older network protocols were developed prior to the wide adoption of MFA, and as a result, do not support the use of MFA for authentication. While these protocols have been replaced by more secure standards, legacy software, services, and operating systems may not be compatible with newer protocols, requiring that less secure authentication methods continue to be permitted.

Threat actors commonly leverage legacy protocols including POP, IMAP, and SMTP to authenticate to accounts that are otherwise protected by MFA. Since MFA is not supported by these protocols, this authentication step is bypassed.

For this reason, it’s recommended to disable the use of legacy network protocols. You can do this in Microsoft Azure AD via Conditional Access Policy. This MFA bypass technique is a significant threat and may warrant upgrading to newer software and operating systems to avoid the requirement for legacy protocols.

MFA misconceptions

Some aspects of MFA may not be obvious and can be unclear when not addressed in detail. Here are a few misconceptions worth additional clarification:

Security questions are a form of MFA

In some cases, what appears to be multi-factor authentication is just additional iterations of a single factor.

One example of this is the use of both a password and a security question. Security questions can be guessed or stolen as well, not providing a significant security improvement over a password alone.

Effective MFA must use factors of more than one type to ensure that they can’t be compromised or stolen by the same means.

All MFA methods are equally secure and reliable

On the contrary, some methods are more reliable than others. For example, authenticating via a code sent to a different account (such as email or phone number) is sometimes considered to be proof of 'something you have' since only the correct user should have control over that other account.

However, account ownership can be compromised much more easily than a physical device like a smart card.

Our security recommendations

  • Enable MFA for all accounts that support it. Additional details on enabling MFA via Azure AD can be found here.
  • Avoid MFA based on another account that could be compromised (such as an email address or phone number) if a more secure method is available.

In most cases, device-based authentication is the optimal combination of practicality and increased protection; however, it’s important to conduct a security needs assessment to ensure this is the best option for your organization.

Please note that not all accounts and services support the most secure factors or methods. MFA using a weak method is still much more secure than a single factor alone, and should still be used where more secure methods are not available.

Remember that there is no one perfect MFA implementation for all organizations. If you have questions about MFA or other cybersecurity best practices, reach out to our team today!