Combat data breaches, weak passwords, and phishing attacks with Multi-Factor Authentication
Delinea Team
Forrester Research has estimated that 80 percent of security breaches involve weak, default, stolen, or otherwise compromised privileged credentials. Since organizations lack the ability to verify whether the user accessing data is authentic or just someone who bought a compromised password from the Dark Web, organizations simply can’t trust static passwords anymore.
As a result, cybersecurity experts have recommended augmenting usernames and passwords with multi-factor authentication (MFA) to add an additional layer of security for privileged access control. By adopting an “MFA at depth” approach, organizations can establish a highly effective deterrent and ultimately minimize the risk of lateral movement of threat actors across networks. Based on studies conducted by Microsoft, an account is more than 99.9% less likely to be compromised if using MFA. Acknowledging the effectiveness of MFA, a growing list of industry standards and government regulations (e.g., PCI, HIPAA, NYDFS, NIST, and more) now require enabling MFA as part of their prescribed privileged access process.
Many organizations already abide by this best practice. In fact, a recent study by Javelin Strategy & Research found that reliance on passwords declined from 56 percent to 47 percent over the past year, as organizations increased their adoption of both traditional MFA and strong authentication.
However, despite the obvious benefits of multi-factor authentication, organizations tend to leverage this technology on a selective basis. The best practice is to enable MFA at depth — and not only for certain administrators, systems, or privileged applications, as it leaves organizations exposed to potential attacks and exploits. Instead, MFA should be enabled across all resources (VPN, firewalls, network devices, workstations, servers that reside on-premise or in the cloud) and all use cases (e.g., MFA at password checkout, MFA at system login, MFA at privilege elevation).
Delinea Identity-Centric PAM delivers all the necessary capabilities for organizations to enable MFA at depth, including, but not limited to:
- Flexible Choices for MFA Challenges, Including Those Already Owned: The Delinea Platform comes with a built-in MFA Authentication Service, alleviating an organization’s need to procure a separate solution and supporting out-of-the-box a full range of authenticators — from the simplest to the more advanced authenticators to ensure compliance at NIST SP 800-63A Assurance Level 2 or 3. These authenticators include, but are not limited to:
- Mobile push notifications,
- Security questions,
- Phone call with PIN verification,
- OATH tokens,
- One Time Passcode Servers,
- FIDO U2F and FIDO2 (e.g., Apple Touch ID® electronic fingerprint recognition, Apple Face ID® facial recognition, and Microsoft® Windows Hello™), and
- Smart cards
For those organizations that already invested in MFA systems such as RSA® SecurID™, Duo® Security, or Symantec® VIP, they can leverage the RADIUS integrations to use them in conjunction with Delinea Identity-Centric PAM.
- MFA at depth: It is only with a platform-based approach to MFA that enterprises can fully protect their organization across the entire spectrum of resources. Whether it be MFA to server and workstation operating systems, network devices, or integrating MFA into Privileged Access Management capabilities such as checking out enterprise passwords and executing privileged commands, Delinea provides privileged user verification via MFA across all use cases. This includes an administrator logging in as themselves and elevating privilege, or an IT admin checking out the password for a shared account.
- Delinea Mobile App for Push Notification and Workflow: The Delinea Mobile App for iOS and Android provides the privileged user with a simple interface to receive MFA notifications or workflow requests for approval. The Delinea Mobile App also provides an interface to enable the user to manage OATH tokens where the seed or Secret is vaulted by the Delinea Privileged Access Service to support user validation of OTP codes, as required by various privileged applications or services that enforce their own OATH-compliant MFA validation such as the AWS® Console.
- MFA for RADIUS Client: Delinea also supports providing MFA services for network devices such as routers, switches, or firewalls where administrative access should require MFA prior to privileged user access.
- Native Support for Advanced Federated Authentication: There are other situations where the user may authenticate from an external authentication system into the Delinea Identity-Centric PAM solution via Active Directory with Kerberos/IWA or via an Identity Provider (IDP) such as Idaptive™, Okta®, Ping Identity®, or Microsoft® ADFS as well as Microsoft Azure™ using SAML. Third parties such as outsourced IT support, external developers, or vendor support can be configured to authenticate their own staff internally and access the Delinea Identity-Centric PAM solution via federation to eliminate manual account management for third-party access to an organization’s sensitive systems.
- Guard Against Attacks with Behavior-Based Access Control: Delinea’s MFA at depth capabilities add an extra layer of security only when needed — and based on risk rating — to reduce the threat associated with compromised privileged credentials. Configure behavior-based access control for IT admins who access Windows and Linux servers, elevate privilege, or leverage privileged credentials.
Related reading: Check your password hygiene practices against our 20 password management best practices.