An official website of the United States government Here's how you know

Secure Our World — CECOM recommends enabling multifactor authentication to enhance cybersecurity

By CECOM CIO G6 CybersecurityOctober 17, 2024

(Photo Credit: U.S. Army graphic ) VIEW ORIGINAL

ABERDEEN PROVING GROUND, Md. — During National Cybersecurity Awareness Month, the U.S. Army Communications-Electronics Command recognizes that enabling multifactor authentication on all accounts is essential to combat cyber threats and to “Secure Our World.”

What is multifactor authentication?  

Multifactor authentication is a security feature that dramatically reduces the risk of unauthorized access to online systems. MFA requires users to present two or more factors to secure an account:

·      Something they know, like a password.

·      Something they have, such as a smartphone or hardware token.

·      Something they are, like biometric data like a fingerprint.

According to Microsoft’s 2023 Security Report, MFA can prevent 99% of account-based attacks, making it one of the most effective defenses against unauthorized access.

A Common Access Card is one of our government's most widely known forms of MFA to protect sensitive information and systems from unauthorized access. The physical CAC contains encrypted certificates and digital signatures, making it a secure possession-based factor. Users must enter a personal identification number to authenticate the card, providing the second factor.

The Department of Defense has been modernizing security standards across its online systems to ensure CAC or other forms of MFA are supported to comply with cybersecurity regulations, like those outlined in the DOD Cybersecurity Maturity Model Certification and NIST SP 800-171. Most government websites and systems that require higher security, such as those dealing with sensitive or classified information, are designed to support CAC authentication. However, not all DOD websites support CACs, particularly older systems or those with lower security. They may rely on username and password combinations or use other forms of authentication.

Despite its effectiveness, adoption of MFA remains low. As of 2023, only about 30% of organizations worldwide have fully implemented MFA. This fact is concerning, considering that weak or stolen passwords were involved in 74% of data breaches, according to the 2023 Verizon Data Breach Investigations Report, an industry-leading annual report that offers a detailed analysis of data breach trends. Additionally, only 37% of Americans use MFA, according to a 2019 Google and The Harris Poll survey, and only 55% could define MFA correctly. There is also a gap in adoption trends as 16- to 24-year-olds are more likely to enable it than older generations.

The surge in cyber threats

Cyberattacks have been increasing in frequency and severity. According to Check Point Research, a cybersecurity firm specializing in threat intelligence and internet security, global cyberattacks increased by 38% in 2023 compared to the previous year.

The significant uptick in cyberattacks, driven by opportunistic hackers and organized cybercriminal groups, demonstrates the urgent need for robust security measures. Even if hackers obtain a password, MFA ensures they cannot gain access without a second factor.

Phishing attacks, where attackers impersonate legitimate sources to trick users into revealing their login credentials, are among the most popular methods hackers use to compromise accounts. According to Proofpoint, a cybersecurity company specializing in email and cloud security, their 2023 State of the Phish Report noted that 83% of organizations experienced a phishing attack in 2023, and 25% of those attacks resulted in data breaches. MFA plays a crucial role in combating these attacks. Even if users are deceived into providing their login credentials, the attackers cannot proceed without an additional form of authentication, such as a fingerprint scan or a code sent to a mobile device. As phishing schemes become more sophisticated, MFA provides a critical safeguard against these growing threats.

There are other ways to force adoption as well. In August 2023, Google announced that it had automatically enrolled over 150 million users into its two-step verification system, which resulted in a 50% reduction in compromised accounts. Google's decision to automatically activate MFA for millions of users demonstrates the effectiveness of this extra security layer, even when users might not fully understand the risks they face.

Real-world cases

Below are some examples of recent events where enabling MFA could have stopped attackers and the resulting damages:

Colonial Pipeline: As one of the largest fuel pipelines in the United States, it supplies nearly half of the East Coast's gasoline, diesel, and jet fuel. In May 2021, the company fell victim to a ransomware attack perpetrated by the cybercriminal group DarkSide, which infiltrated systems through a compromised password. This attack resulted in a six-day shutdown of the pipeline, causing widespread fuel shortages, price spikes, and disruptions in airline travel across the region. The attackers could encrypt critical data and demand a ransom, which was paid—approximately $4.4 million in Bitcoin—to regain access to their systems.

U.K. National Health Service: Among the most disruptive attacks of 2023 was the ransomware attack on the NHS in August. The attack caused significant disruptions to critical services, with hospitals and medical centers unable to access patient data or schedule appointments for days. While the attack targeted legacy systems, cybersecurity experts believe that had MFA been implemented more broadly across its systems, it could have prevented unauthorized access to sensitive data.

Banco de Chile: One of the largest banks in Latin America, Banco de Chile was targeted by a cyberattack in 2023 that resulted in the theft of $10 million. Investigations revealed that the hackers had accessed the bank’s network using compromised credentials obtained through a phishing scheme. The breach might have been prevented if MFA had been used as an extra layer of security to verify login attempts.

Los Angeles Unified School District: In 2023, the second-largest public school system in the United States was hit by a ransomware attack that disrupted access to email systems, student data, and online learning platforms for several days. The district reported that the attackers had gained access through compromised administrator accounts that did not have MFA enabled. As educational institutions become increasingly digital, MFA is emerging as a critical tool to protect sensitive student and faculty data from cyber threats.

Implementing MFA

MFA should be a top priority for individuals and organizations looking to secure their data. Below are some best practices for implementing MFA effectively:

Enable MFA on all accounts where available: MFA should be mandatory for all accounts with access to sensitive or critical information. This includes email, banking, social media, and work-related platforms. Ensure that users have multiple MFA options in case of device loss or failure.

Use app-based authenticators and hardware-based security keys: Phishing attacks that trick users into entering their second factor are less effective with these methods. Applications like Google Authenticator or Microsoft Authenticator are more secure than SMS-based authentication, which can be vulnerable to SIM-swapping attacks.

Adopt biometric authentication: Using fingerprint or facial recognition adds a layer of security that is difficult to replicate, making it harder for attackers to bypass.

Monitor for MFA fatigue: Attackers may attempt to flood users with MFA push notifications to trick them into accepting unauthorized logins. Implement controls that limit the number of allowed prompts and require re-authentication after a set threshold.

Review and update security

settings regularly: Ensuring MFA options are properly configured and updated is essential for maintaining strong security. Organizations should also regularly audit MFA logs to identify suspicious activity or attempts to bypass the system.

Promote training and awareness: Many breaches occur because employees disable MFA for convenience or do not understand why it is critical. Regular cybersecurity training ensures staff understand the risks of deactivating MFA and its crucial role in securing accounts.

Secure Our World with MFA

MFA remains one of the most effective tools for protecting sensitive data. MFA can block nearly all account-based attacks and significantly reduces the risk of breaches. While it is not foolproof, when combined with other security practices like user education, zero-trust policies, and regular monitoring, MFA is very secure. By adopting phishing-resistant methods and enforcing MFA across all platforms, individuals and organizations can stay ahead of cyber threats and protect their sensitive data.

As leading cybersecurity experts emphasize, MFA is no longer optional—it is necessary for anyone looking to protect their online presence.