Introduction

Working for SaaS scale-ups, I’ve had my fair share of client security questionnaires to fill out. Every single one of these questionnaires included a question similar to:

Do your employees/admins use MFA?

If I answer “no”, all hell breaks loose the client gets uneasy and starts asking all sorts of questions. If I answer “yes”, I get a satisfied, congratulatory nod. The security community has, it seems, made up its mind about this subject.

So, let me tell you all about our lord & saviour, multi-factor authentication. (Spoiler: MFA is good. Use it.)

Definition

According to Wikipedia:

Multi-factor authentication is an electronic authentication method in which a user is granted access to an application after successfully presenting two or more pieces of evidence (or factors):

  • knowledge / something only the user knows, usually a password
  • possession / something only the user has, usually an OTP token (physical or virtual), key, card etc.
  • inherence / something only the user is, usually fingerprints.

Basically, MFA adds another check to the authentication workflow.

Why use MFA?

MFA rose to prominence because we, humans, are notoriously bad at passwords. Check out my article about password security for a concrete example of that.

Human brains are wired to recognize, create & use patterns and have a hard time with seemingly incoherent bits of information. Unfortunately, the strongest passwords, those with the highest entropy, are the most random ones.

“Improving security is easy, just train people to use stronger passwords!”

If you’re tempted to say this :point_up:, you’ve clearly forgotten that passwords can be stolen (through phishing for example).

Enter multi-factor authentication!

An attacker wanting to steal your account has to steal both a password and a second factor (physical OTP token, unlocked phone etc.). Congratulations, MFA just slashed the probability of a successful attack. Only the most determined of attackers will go through the hassle of stealing your password & physically robbing you of your phone or OTP token. They’re much more likely to succeed in hijacking your account through a vulnerability in the app you’re using (possibly an XSS).

“But if an attacker can abuse the app and steal my session regardless of MFA, what’s the point?”

And if you’re tempted to say that :point_up:, you’ve clearly forgotten all about password spraying, dictionary and credential stuffing attacks.

The problem with MFA

So we’ve just established that MFA is great. You should use it.

“But it’s such a hassle…”

If you’re tempted to say that :point_up:, well, you’re not entirely wrong.

Having MFA set on an account requires you to faff around with a second token during the auth workflow. Manually copying a 6 digit code from an SMS (please stop complaining it’s not secure, it’s much better than no MFA), or your favourite OTP app (mine is Aegis), is not great UX. U2F keys are thankfully bringing much needed improved UX to the field, but are not yet widely adopted.

In practice

In my experience, SaaS scale-ups are rather reluctant to implement MFA in their apps. Sometimes, they’re even unwilling to roll it out for internal services & apps.

Various reasons are cited:

“MFA Deteriorates user experience”

“The product team has other business priorities”

“We don’t have enough budget / dev time”

Do you want to guess what happens next? :point_right: Incidents.

In 2021, I’ve had 4 incidents of potential account theft. In 3 of them, MFA protected users from actually getting compromised (even though passwords were indeed stolen). The fourth user alerted the security team quickly enough for us to be able to remediate the issue with minimal impact.

What have I learned

MFA for the backstage crew

If you’re a security engineer working for a SaaS provider trying to minimise risk, your best bet is to work on enforcing MFA for all employees on all apps/services within (or related to) the SaaS platform you’re providing.

Even the support & sales people should have MFA. Support people usually have access to a lot of business information & potentially users personal data. Sales people spend time demoing the SaaS platform to prospective customers, and getting them to showcase MFA on your SaaS product will help reassure these customers.

For the rest of the staff, enforcing MFA helps establish a security culture while reducing this staff’s risk exposure.

MFA for the audience

For external users of your SaaS apps, the bare minimum is to provide them with the ability to enable MFA for themselves.

It’s not going to be easy to enforce MFA on all their accounts. If your organisation ends up doing it, it’ll probably be a cross-functional effort including support, product & engineering teams, and will need to include multiple options for the 2nd factors. Good luck with that.

Silver bullet

A silver bullet, MFA is not, even if it does help prevent some attacks. However, its effects in improving the security posture in the organisation & reassuring clients should not be underestimated.

Pushing it on reluctant people is not easy, so it’s best done when the organisation is young.