Achieving True MFA in Active Directory by Securing Every Authentication Factor

Research reports show that account compromises aren’t decreasing

Published: Nov 25, 2024

1725491972 Security Hero

SHARE ARTICLE

Multi-Factor Authentication (MFA) has become important for user security within Active Directory environments. By implementing additional verification steps, MFA makes it more difficult for adversaries to gain unauthorized access and it is essential for any organization aiming to secure its Active Directory infrastructure.

However, despite investing heavily on MFA to stop cyberattacks, top research reports show that account compromises aren’t decreasing. Rather, stolen passwords have risen to become the top cause of a data breach. This shows that even with MFA integrated into the Active Directory (AD) authentication flow, the security of each authentication factor is crucial for receiving the security benefits of MFA. So, there is still a need for a defense-in-depth approach that ensures credentials are secure rather than relying solely on MFA as a compensating control.

The threat of compromised credentials  

According to the Verizon 2024 Data Breach Investigations Report, stolen credentials remain a consistent and widespread threat to all organizations, including those using Active Directory. The report makes it clear that hackers are exploiting systems using default, weak, or compromised passwords to gain unauthorized access.

Even with all the advancements in MFA and other technologies, these cybercriminals persist in using stolen credentials because they’re so effective, easy to find on the Dark Web, and often provide a direct route straight into an organization’s systems.

This unexpected trend raises some important questions: How can attackers bypass MFA so consistently, and how can organizations better secure their authentication?

Understanding how attackers bypass MFA

Although MFA is an important compensating control, attackers have found ways to get around this control in AD environments. Recognizing these tactics is essential so that organizations can understand why strong passwords need to be the foundation of authentication security. Here are some prevalent techniques used by threat actors to bypass MFA:

  • Phishing for MFA codes: Phishing attacks targeting MFA codes are so extraordinarily common and effective that CISA has issued updated guidance to combat the issue. (CISA has also outlined the risks of MFA without improving password security.) Attackers often impersonate trusted sources within an organization, such as IT support staff leveraging Microsoft Teams or Outlook, to deceive users into revealing their MFA codes. When attackers compromise one AD account, they can use that account to send convincing phishing messages to other employees. Attackers might send messages urgently asking for MFA codes, pretending it’s to fix important issues or confirm the user’s identity. They take advantage of the trust people have in security messages and the sense of urgency to trick users into giving up the very codes that are supposed to protect their accounts.
  • SIM swapping attacks: Imagine a SIM swapping attack where a hacker gets your phone number transferred to a SIM card they own. With your number in their hands, they can intercept any SMS-based multi-factor authentication codes sent to you. This lets them bypass MFA systems that rely on SMS verification and access your accounts without permission.
  • Man-in-the-Middle (MitM) attacks: Think of a scenario where an attacker sneaks into your secure conversations—that’s a man-in-the-middle attack. When it comes to multi-factor authentication, these cybercriminals can intercept the MFA codes as they’re sent to you. By grabbing these codes, they can access your accounts without your permission, effectively sidestepping the security measures you’ve put in place.
  • Session hijacking: Session hijacking occurs when an attacker gains access to a user’s session token or cookie, allowing them to impersonate the user without needing to authenticate again. Even with MFA in place, if an attacker can obtain the session token—through methods like cross-site scripting attacks or Adversary-in-the-Middle phishing—they can access the account as if they were the authenticated user.
  • Exploiting MFA fatigue and user complacency:  Attackers often send repeated MFA prompts, usually timed to match when employees are likely logging in. This increases the chances that, out of confusion or frustration, users might approve a fraudulent attempt. Relying too much on MFA can also lead to complacency, where users think it’s enough by itself and may overlook other important security practices.

Securing credentials as the foundational factor

Securing user credentials directly in Active Directory is key to reducing the risk of MFA bypass. Attackers often need access to passwords as the first step in bypassing MFA. If credentials are exposed, such as through the Dark Web, it gives attackers the opening they need to compromise accounts.

By ensuring every authentication factor is secure and that passwords remain protected, organizations can achieve true multi-factor authentication and close many of the gaps that attackers exploit to compromise accounts. Proactive measures include:

  • Regular Monitoring for Credential Exposure: Implement continuous surveillance for compromised credentials on the Dark Web and other platforms where stolen data is traded to detect any signs of credential leaks.
  • Remediate Compromised Credentials:  It’s crucial to have systems that automatically prompt users to change their passwords as soon as a compromise is detected. This can be accomplished by having processes in place that prompt users to update their passwords instantly if any of their login details are detected as compromised on the Dark Web.
  • Strengthening password policies: Prevent users from using identifying information in their passwords, such as the name of your organization, local sports teams, or their username. 
  • Educating users: Provide comprehensive security awareness training through Microsoft Learn or integrated training platforms to reduce the likelihood of users falling victim to phishing, social engineering attacks, and MFA fatigue exploits that lead to credential compromise. Organizations can use Microsoft Attack Simulator to test if their users easily fall victim to basic phishing attacks.

How do credentials become compromised?

Even if your systems haven’t been directly breached, your organization’s credentials can still be compromised through the combination of external data breaches and password reuse. When people reuse the same password across different sites, it greatly increases the risk of a company-wide compromise.

For instance, if someone in your organization uses the same password on another site that gets hacked, attackers can then use those stolen credentials to access your company’s accounts. Due to the prevalence of breaches, a user might have multiple personal passwords compromised, allowing attackers to establish a pattern that an employee uses for passwords, making it easy for attackers to guess the password even if they change it slightly across platforms.

This is a common problem. According to Bitwarden’s 2023 Password Decisions Survey, ninety percent of users admit to reusing passwords across platforms, creating a widespread vulnerability.

Recent breaches show how dangerous password reuse can be. In December 2023, nearly 36 million Comcast Xfinity customers had their usernames and passwords leaked. If those same passwords were used for other important accounts, like to authenticate into your organization’s systems, this poses a substantial risk. And while large breaches make headlines, many smaller ones, which aren’t well-publicized, also pose an outsized risk.

When credentials are compromised in one breach, cybercriminals can use them to access other accounts, leading to a cascade of security issues such as fraud, identity theft, phishing attacks, ransomware, and more. This domino effect means that a breach in one organization can quickly spread and affect many others. 

The financial impact of compromised credentials  

The IBM 2024 Cost of a Data Breach Report looked at the serious financial impact of data breaches caused by compromised credentials. The global average cost of a data breach has risen to $4.88 million this year, a 10% increase from last year. Compromised credentials rose to be the top cause of a data breach. In addition, they were also among the toughest to remediate, taking on average 292 days to detect and contain, the longest of any type of breach.

The risk of overreliance

Depending too much on MFA for securing the authentication flow can give organizations a false sense of security. Companies might skip other security steps—like properly monitoring for and remediating compromised credentials—because they assume MFA has them covered. This kind of complacency is risky.

On top of that, the common practice of forcing regular password changes (such as every 3 or 6 months) to secure credentials has been shown to be counterproductive, which is why the latest NIST 800-63B guidelines actually advise against this approach. Why? Because it doesn’t actually improve password quality and ends up causing users to create weaker passwords by reusing old ones or opting for simple, easy-to-guess patterns.

How Enzoic for Active Directory reduces the risk of compromised credentials

While MFA adds an extra layer of security to Active Directory environments, the ongoing issue of compromised passwords shows that more needs to be done. Enzoic for Active Directory tackles this problem head-on by directly securing user credentials, ensuring that passwords—the first line of defense—are strong and uncompromised.

Enzoic for Active Directory
Enzoic for Active Directory (Image Credit: Enzoic.com)

Continuous monitoring with real-time threat updates

Enzoic for Active Directory is an easy-to-install plugin that keeps a constant watch on user credentials by checking them against a real-time database of known compromised passwords. It does this securely by sending partial password hashes for comparison, so your sensitive data stays within your network. Because Enzoic’s database is always updated with the latest information from the Dark Web and other sources, you can be confident that passwords safe today remain safe tomorrow.

  • Automatic detection and response to compromised passwords

If Enzoic discovers that a user’s password has been exposed in a data breach, it can automatically take action, like requiring the user to change their password or disabling the account if necessary. This proactive approach stops attackers from exploiting compromised passwords, even if the breach happens after the password was created. By acting quickly, organizations can prevent small issues from turning into major security incidents.

  • Stronger password policies and easy compliance

Enzoic for Active Directory enforces customizable password policies every time a password is created or changed. It prevents users from choosing weak or commonly used passwords, including those that are simple variations or include parts of their username. With features like custom password dictionaries and detection of root or similar passwords, it helps users create strong, unique passwords. Plus, with one-click compliance with NIST 800-63B guidelines, organizations can easily meet industry best practices without making password requirements overly complicated for users.

  • Better experience for users and admins

By eliminating the need for regular password resets—which often frustrate users and lead them to choose weaker passwords—Enzoic improves the user experience. Users are less likely to reuse passwords or choose simple patterns. For system administrators, the automated monitoring and response features reduce the workload that comes with manual password checks and reset processes. Customizable notifications and reporting tools give admins useful insights without overwhelming them with too much information.

  • Seamless integration for comprehensive protection

Enzoic for Active Directory fits easily into existing Active Directory setups, whether they’re on-premises or hybrid environments. It works alongside your existing security measures, including MFA, by addressing the weaknesses associated with compromised passwords. Features like easy integration with SIEM systems and the ability to create different group policies allows your organization to customize the solution to fit your specific needs, enhancing security without adding extra complexity.

  • Filling the gaps left by MFA alone

By focusing on securing passwords—the first factor in authentication—Enzoic for Active Directory addresses the security gaps that MFA alone can’t fix. It understands that attackers often need the password to even try to bypass MFA. By ensuring passwords aren’t compromised, Enzoic reduces the chances that attackers can get to the point of trying to bypass MFA. This comprehensive approach to securing every part of the authentication process significantly lowers the risk of unauthorized access.

A layered security strategy for authentication

MFA can be the last line of defense for an organization against compromised credentials. However, strong passwords should be a foundational control in any MFA implementation. Strengthening passwords is crucial to addressing the security gaps that MFA alone cannot cover within Active Directory.

By securing credentials as soon as they are exposed or compromised, especially those easily accessible to attackers on the Dark Web, organizations can significantly reduce the risk of account breaches. Key actions include ongoing monitoring, automated remediation of compromised credentials, and educating users on best security practices. Strengthening every part of the authentication process will better protect sensitive data and help organizations maintain the trust of their customers and stakeholders.

To learn how you can continually scan for compromised passwords in your environment and proactively prevent account takeover, download a trial of Enzoic for Active Directory today.

SHARE ARTICLE