The NCSC recently published a new version of its multi-factor authentication (MFA) guidance (Guidance) recommending that organisations use techniques that give better protection against phishing attacks. According to IBM's Cost of a Data Breach report, phishing and compromised credentials are among the most common cyberattack vector , accounting for almost a third of data breaches – such vectors often work by stealing passwords, which hackers can use to hijack legitimate accounts and devices.
The NCSC has been advocating the use of MFA for many years. MFA (also known as 2-step verification (2SV) or two-factor authentication (2FA)) protects against many common attacks directed at user accounts by adding an extra layer of security by requiring more than one piece of evidence to confirm a user's identity (e.g. password and a single-use passcode).
The NCSC’s 2018 guidance recommended that organisations should start implementing 2FA on the parts of their corporate IT that are accessible from the internet. This message coincided with a large-scale move of corporate digital services to the cloud, exposing such services to attacks via the internet. In making that move, the NCSC emphasised that an organisation’s authentication methods needed to be made more robust by including MFA.
Fast forward 6 years and the NCSC remains of the view that MFA can make a big difference to security compared with relying solely on passwords alone and stated that some recent high-profile breaches of corporate data (including one that impacted Ticketmaster, Santander and other Snowflake customers) would probably not have occurred if mandatory MFA had been enforced.
However, the NCSC acknowledges that attackers are deploying many of the same social engineering techniques that previously tricked us into handing over passwords to overcome some MFA methods and has seen the success of attacks against MFA-protected accounts increasing over the past couple of years. The Guidance explains the strengths and weaknesses of the different ways of implementing MFA. This aims to help organisations choose the strongest type of MFA that is practical for it on an individual basis. The Guidance outlines the multiple benefits of strong authentication while also seeking to minimise the friction that some users associate with MFA. Part of this involves only prompting for authentication or MFA when it makes a difference.
The press statement explains that whilst the NCSC requires phishing-resistant MFA when users authenticate against its corporate single sign-on (SSO) service, users are rarely prompted for it because their mobile device managed (MDM) phone and laptop act as strong phishing-resistant MFA factors themselves. Users only get prompted if they use a new device, or if the system identifies something suspicious about their account, devices or how they access apps. This enables the NCSC to benefit from all the protections associated with MFA, without burdening users with prompts that can induce security fatigue.
The Guidance also shares some MFA anti-patterns that the NSCS has encountered in recent years. By calling them out and explaining why they’re problematic, the NCSC hopes that organisations can avoid falling into the same traps. The Guidance also contains advice specifically for organisations that need to protect access to sensitive data and recommended types of MFA for protecting administrative privileges.
The Guidance is timely as the revised EU cybersecurity directive commonly known as NIS2 mandates the use of MFA as one of its 10 minimum cybersecurity risk management measures (NIS2 national laws will apply from 18 October 2024) . For more information on NIS2 see here.
unknownx500
