Recently I had to call the IT helpdesk of a Fortune 500 company we partner with because their authentication app stopped working on my phone. In order to access their systems, I first have to login with a username and password, then provide the code generated by their authentication app installed on my phone (which first prompts me to authenticate myself on my phone). This sounds secure, right? Multi-factor authentication: check!
But their processes have a huge vulnerability that rendered this technical control largely worthless. When I called their helpdesk, the phone system prompted me for my employee ID. Since I’m not an employee, I didn’t enter one and followed the prompts to reach a support technician. I explained my issue, he asked me my name and then looked up my account. He had me try uninstalling and reinstalling the app on my phone, but still no joy. He decided that the app must not be compatible with my phone anymore and generated a temporary code that I can use to access their systems for the next three days, then asked me for my mailing address so he could send me a hardware token to use going forward. But at no time did he authenticate me! He identified me when he asked me for my name, but after he looked me up he took me at my word that I was who I claimed to be.
I now have a way to authenticate on their systems both immediately and for the longer term. Granted, an attacker who impersonated me in this scenario would also need my username and password to gain access as me, but that’s exactly the premise which using MFA is intended to mitigate.
Your organization’s technical controls work hand in hand with your policies and processes. You might have a shiny, expensive network security appliance guarding the front door to your network, but if you have weak processes or if people aren’t following the processes correctly (training, awareness), then your organization’s actual level of risk is much higher than you may have assumed.
It’s issues like this that a third-party information security audit can help you to identify. And once they’ve been identified, they can be mitigated. Yes, a vulnerability such as this would result in a finding during an audit, but more importantly it’s something that an attacker could seek to exploit. Security audits and readiness assessments aren’t intended to just check the box for a certification body so they will renew your certification for another year or three years; if that’s how your organization is using them, you’re missing out on the real value.