Multi-factor authentication (MFA) has been the security standard within the IT industry for some time now. Whether you attended cyber training or a panel discussion in recent years, you were probably advised by security professionals to use MFA for both your business and personal accounts, including social media and email.

Fast forward to today, and it’s clear that businesses like yours need secure authentication now more than ever to stay protected from cyberattacks. In fact, every week our Affinity Technology Partners team hears about hackers targeting another major company, sometimes even healthcare stalwarts here in Nashville. Our clients have taken notice, too, which has helped us spread the word that MFA can make a difference in protecting typical data access and other business processes like accounts payable and accounts receivable.

Yet MFA alone isn’t enough to stay secure nowadays. Your business needs more modern authentication protections to fend off increasingly sophisticated hackers (more on that later).

Using Multi-Factor Authentication is Still Good Advice…Mostly

In today’s environment, multi-factor authentication continues to provide a significant upgrade to your cybersecurity. Simply put, MFA adds an extra layer of protection by requiring users to provide additional verification credentials to access an account—beyond the traditional username and password. It’s easy to implement and cost-effective, as many systems offer MFA at no extra cost; all you need to do is turn it on.

However, as hackers have become more advanced, multi-factor authentication is no longer bulletproof. Social engineering tactics in MFA’s early years have shifted into hacking techniques that trick the MFA process. SIM-swaps allow hackers to transfer your phone number to their own phones, while number-port attacks enable hackers to capture your phone number by transferring it to a new carrier tied to their devices. In either case, with possession of your phone number, a hacker can intercept any MFA codes sent via text message. And once they have these, they have free rein on your accounts. That’s why IT professionals now recommend using an app for MFA instead of a phone number.

A Modern MFA Security Challenge: Token Hijacking

As hackers have adapted their tactics to the world of MFA, a new, modern attack vector has arrived on the scene. It’s called token hijacking, and it’s one of the scariest hacking techniques of the past 25 years. Token hijacking actually bypasses MFA altogether. Using phishing to get you onto a compromised website, a hacker then captures your own session token, which normally allows access to your systems after multi-factor authentication. In the wrong hands, this token enables the hacker to act as you and gain total control of your account without you ever knowing it. The scariest part? Token hijacking is so advanced that it circumvents all controls, including MFA.

According to email security vendor Proofpoint, they encounter about 1 million token hijacking threats per month (yes, you read that right!). Even with its increasing prevalence however, token hijacking is still not getting the attention it deserves. Yet it’s a topic of daily discussion here at Affinity.

How Affinity is Enhancing Security with Conditional Access

With the growing threat of token hijacking, the last thing we’re doing at Affinity is sitting idly by. Instead, we’ve been intentional in adapting our client’s IT security to fight against this new attack vector, moving to a modern, zero-trust authentication mechanism called Conditional Access. Behind the scenes, this required clients using Microsoft 365 for their back office to switch from the default Classic Authentication mode to Conditional Access. Because of the urgency of this switch, our entire team prioritized a client-wide upgrade to Conditional Access through a communication blitz, bringing our clients into alignment with our current best practices in a single day.

Conditional Access provides greater cybersecurity protection because it uses a different kind of IF-THEN scenario to permit access, called a Zero-Trust Engine. Instead of the traditional username, password, and MFA code, we put policies in place to help this engine determine if access should be granted. The engine then applies those policies against signals like user or group membership, IP location, device, or even a risk calculation algorithm to decide if a user should be authenticated. Hence, Conditional Access—and the future of authentication.

Fight Against Cyberattacks with Affinity Technology Partners

If you want your business to stay one step ahead of today’s cyber threats, we can help at Affinity Technology Partners. Request a consultation today to learn more about our outsourced IT services.