How MFA efforts are being eroded by legacy authentication

Multi-factor authentication (MFA) is – according to Australian cybersecurity authorities – “one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information”.

“When implemented correctly, MFA can make it significantly more difficult for an adversary to steal legitimate credentials to facilitate further malicious activities on a network,” the Australian Cyber Security Centre (ACSC) says. “Due to its effectiveness, multi-factor authentication is one of the Essential Eight from the Strategies to Mitigate Cyber Security Incidents.”

MFA’s deployment is also aligned to CIS 18 – which means two of Australia’s most popular security frameworks both recommend applying this type of protection to user accounts.

Despite this, the actual use of MFA is not yet at its desired level.

A recent survey showed that only 37% of businesses “have a requirement for their people to use two-factor authentication when accessing their network, or for applications they use.”

Frustration at the lack of movement on MFA is, at times, palpable; according to one global survey in mid-2020, 29% of respondents saw their “inability to institute MFA as the biggest threat to their company.”

A post by Microsoft’s Director of Identity Security Alex Weinert late last month encapsulates the threat perfectly: “When we look at hacked accounts, more than 99.9% don’t have MFA, making them vulnerable to password spray, phishing, and password reuse,” Weinert wrote.

This should be a wake-up call for all organisations. An organisation without MFA is putting itself, its accounts, and the permissions and data that sits behind those logins, at considerable risk of compromise.

An organisation without MFA is putting itself, its accounts, and the permissions and data that sits behind those logins, at considerable risk of compromise.

Start with Email, Move to Cloud

Older IMAP, SMTP and POP3-based email services used industry-standard authentication for the time: a simple username and password combo. The problem is, that these older email services don’t understand nor respect or use MFA, regardless of configuration.

For Microsoft-hosted services, this is in the process of changing. Microsoft already changed the default configuration for a new Exchange Online customer in 2019 to block legacy authentication for everything but SMTP. Microsoft also announced that from Oct 1 2022, it would begin to disable legacy authentication for some customers, and at some point, will disable it across the board.

Microsoft is also initiating MFA challenges on its cloud accounts too.

So how should you deal with these changes?

A staged approach is most likely to succeed in this instance. This might include initially limiting legacy username-password authentication to specific applications or users while enforcing modern authentication across the organisation’s balance. This outcome can be achieved via Microsoft Conditional access policies.

Using a staged approach allows organisations to make the changes required to achieve the best security standard for modern authentication, ensuring that they get the full security benefit of enforcing and deploying MFA.


Bring in the experts

While organisations are aware of the threat and the extra risk burden they shoulder by not enabling MFA on user accounts, they may not be in a position to act on it.

“Unfortunately, many companies lack a team of security experts to address these issues, and often have no IT team at all,” Weinert writes. “So, even though the industry is clear on the importance of MFA, there’s no one to hear or execute on these security mandates. These organisations are often the most vulnerable and experience the most compromised accounts.”

Understanding where to look for and engage third-party assistance is a requisite step to progress.

Come and talk with Tecala to better understand this staged approach and to assess your current security risks. Only through understanding your risk profile and a clear strategic security plan can you accurately determine what is required to ensure your security within this ever-changing business and global environment.

Assess your vulnerability to attack. Protect your reputation.

Working to a risk assessment matrix, we’ll clearly identify where your business is most susceptible to breach or attack.

Our assessment follows 3 Steps:

  1. Where and how your business operations create your potential for risk.
  2. We’ll explain the two primary security frameworks and how to apply them to your organisation 
  3. Define next steps: Achieve peace of mind with a tailored Strategic Security Roadmap for your business 

Don’t be tomorrow’s headline. Book your session today.  



Discover the top 3 Cyber Security imperatives in the modern workplace

Empower your people, while protecting your business-critical data, and your hard-earned reputation.



Why your IT platform is essential to your growth strategy: What the investors are looking for

The 3 Game-Changing management and technology initiatives that will drive your continuous innovation and growth.