Whether you’re currently updating your website or building one from scratch, you’ve probably thrown around the idea of deploying multi-factor authentication (MFA). After all, it’s credited for defending web assets and users from the abuse of stolen credentials (one of the most pervasive issues) and enhancing security.
Or maybe MFA is already live on your website—if so, have you questioned if it keeps bots out of user accounts?
When organizations consider the options for website security, they can’t afford to get it wrong. According to a recent survey by Ponemon, the biggest cost factor in data breaches was lost business. The hard truth is that when customers go away, typically, they don’t come back. As organizations become increasingly digital, the integrity and availability of IT services, including websites hosting user accounts, will be the deciding factor in revenues. So we land on the question—what is the best way to protect logins so that customer trust stays intact?
MFA—Good, But Not Flawless
If we had to give MFA a rating, it would be a B+. There is value in layering the authentication solution into an overall website security strategy. However, MFA does not prevent credential stuffing. Instead, it just makes the process less valuable.
In a scenario where a fraudster obtains credential information, a website with active MFA is a great testing ground for the validity of the usernames and passwords. All the cybercriminal has to do is start a credential stuffing script that has bots return which credential pairs invoked an MFA response.
From there, the fraudster has some options in how to escalate the attack.
- Option 1: Switch attack methods to find business assets that are not gated by MFA.
- Option 2: Change from bot attacks to manual attacks, like sending out phishing emails to get the MFA verification code.
- Option 3: Insert Man in the Middle technologies to capture any MFA tokens or keys.
Double Down With Bot Protection
While much of the talk about bots revolves around their growing sophistication, it should be noted that the fraudsters behind the attack are the real masterminds. Bots are just a script or automated tool—fraudsters are able to escalate attacks with manual efforts that bots aren’t able to complete. Knowing this, organizations implementing website security must take into consideration the full spectrum of attacks that could lead to data breaches, which cause damage to networks, cash flow, and also erode customer trust.
Even in cases where MFA is in place, organizations will benefit from stopping bot activity. Doing so reduces the chances of the authentication being duped by human-powered attacks and can stop Man in the Middle attacks used to pick off MFA credentials.
Using a blend of security technologies including supervised machine learning, artificial intelligence, and behavioral analysis, bot mitigation can separate legitimate users from malicious actors—even in the event that they have the MFA verification code. By identifying certain behaviors and key characteristics like multiple logins from the same IP address, defenders have the power to see the true makeup of their website traffic. BotRx does this by using Moving Target Defense to adapt the attack surface, making it more costly for the attacker, while also providing manual attack protection with business logic. To learn more about stopping bots that can harm your website, read Stopping Bots on Day One Shouldn’t Be the Exception.