Banks Need to Upgrade Their MFA To Protect Users and Assets

By Yiftach Keshet, Director of Product Marketing at Silverfort

Financial institutions are a major target for cybercriminals. Unfortunately, the tools banks currently use to protect themselves by securing user access and guarding against external threats are no longer fit for purpose.

Multi-factor authentication (MFA) is a primary form of defence for financial institutions. But Standard MFA solutions leave gaping security holes because they cannot defend every asset or resource. To address this challenge, banks must upgrade to a new model which “protects the unprotectable” – or risk leaving their valuable resources open to attack.

The problems with MFA

When users attempt to access a resource that is protected by MFA, they cannot simply enter a password and gain access, but must submit two or more verification factors which could include anything from biometric data to an SMS code that is generated and sent to their mobile phone. After authentication, users are given permission to interact with resources such as servers, applications, cloud workloads, and more.

There are two problems with traditional MFA:

Partial support: The first is that being a relatively new technology, MFA is not supported by legacy banking applications, or command-line access to servers and workstations. For example, both Kerberos and NTLM, which are the standard authentication protocols in the on-prem environment do not support MFA, meaning that an attacker that has infiltrated the network can use compromised credentials to access critical servers without MFA protection.

Partial deployment: The second problem rises from the traditional MFA deployment model that it protects at the resource level and entails either an agent on the protected resource or a proxy in front of a network segment.

Organisations, by their nature, are designed to grow. So as businesses increase the number of resources, they are forced to ramp up deployment, configuration, and maintenance of their MFA solutions in proportion to the number of resources that must be protected. This can quickly become unmanageable, forcing banks to spend money and recruit more staff – which is not always easy due to the ongoing global cybersecurity skills shortage.

In practice, the result of the partial support and coverage is exclusion of core banking resources from MFA protection, leaving them exposed to attacks. This is not sustainable, and a change is required.

Solving the challenge – Unified Identity Protection MFA

To address the challenges of MFA, organisations in the financial sector should move to a new model of Unified Threat Protection. These solutions act as a layer of protection which natively integrates with the IAM solutions in the environment to continuously monitor, analyse and enforce MFA policies on all user access in the hybrid environment.

This approach solves both the partial support and the partial coverage problems. The direct integration with the IAMs eliminates the coverage problem because, by definition, every authentication passes through the IAM that forwards is to the MFA for analysis and policy enforcement. By eliminating both agents and proxies, companies can apply the MFA layer to resources which could not previously be protected in this manner.

In the same manner, since the MFA gets the data from the IAM directly, it no longer matters what protocol was used to initiate the request in the first place. The IAM informs the MFA what user attempts to access which resource, enabling the MFA to enforce the access policy regardless of the authentication protocol that was used. This novel approach can also protect assets that were simply impossible to guard in the past, such as homegrown or legacy applications, IT infrastructure, and file systems.

The integrations with all IAM in the environment enable the MFA solution to gain visibility into the entire authentication trail of each user and infer the real-time context of each access request. This analysis can be leveraged to adaptive policies that employ risk-based authentication rather than static rules.

To protect banks and financial institutions, MFA must be able to monitor all access attempts by both users and service accounts as well as analysing risk in real-time using AI to enforce adaptive, flexible access policies. It must also be adaptive and capable across corporate networks and cloud environments, without requiring any software agents or inline proxies.

Unified Identity Protection MFA Banking Use Cases

There are many use cases which illustrate the need for a better form of MFA and demonstrate the value of upgrading this security framework. Admins at financial institutions around the world commonly use command-line tools such as PsExec, Remote PowerShell, and WMI to configure, manage and troubleshoot machines in their environments. Threat actors use the same tools to propagate ransomware and move laterally through the network.

As we have explained before, the authentication protocols of command-line tools do not support MFA, creating a security gap. An agentless and proxyless solution solves this problem by integrating with Active Directory and handling both risk analysis and MFA.

Remote desktop access tools represent another use case for agentless and proxyless MFA. These tools have become vitally important in the home-working era, but MFA is not always applied to all machines in the environment due to the partial coverage problem, which leaves some connections unsecured. MFA solutions that integrate directly with Active Directory can provide the full coverage that is typically hard to achieve when an agent must be deployed on each machine.

Ransomware is one of the threats which can be mitigated by using a next-generation MFA solution. File shares are a preferred target for threat actors because they allow access to resources. Again, legacy MFA cannot be applied to file shares because access is managed by a CIFS (Common Internet File System) authentication protocol that does not support it. A Unified Identity Protection MFA solution that operates without agents or proxies can fill this security gap by integrating with Active Directory to apply MFA to any authentication, regardless of which protocol it uses.

Protecting The Unprotectable

When banks and financial institutions upgrade their MFA and move beyond proxies and agents, they can achieve the once impossible task of protecting assets and resources that were once unprotectable. The threat to banks is not about to diminish and, as digital banking becomes more and more popular, the number of users and resources needed to serve those users will continue to grow. It is time for financial institutions to upgrade their MFA before they are forced to count the cost of a cyberattack.