schedule a demo

MFA Configuration Errors and How ISPM Can Help

Updated: Jan 16

Multi-factor authentication (MFA) is considered a foundational cybersecurity control. Multiple frameworks mandate the broad use of MFA, including CISA’s Zero Trust Maturity Model and NIST’s Digital Identity Guidelines. In the cyber-insurance domain, MFA has become a critical requirement for coverage. Many insurance agencies now require MFA for all individuals accessing email, remote network access, and admin access to directory services, network infrastructure, and endpoints.


Yet, applying MFA consistently in practice continues to prove challenging, even for the most sophisticated organizations. Despite the widespread recognition of MFA’s importance, recent incidents involving Mandiant and the SEC highlight the hurdles organizations face in implementing it effectively.


On January 3, 2024, Mandiant, a subsidiary of Google Cloud, experienced a security breach on its X account. Despite having 2FA enabled, The company said it lost control of the account due to team transitions and a change in X’s 2FA policy. The account began sending its followers links to a cryptocurrency drainer phishing page. After regaining control of the account the next day, it was concluded that the hijack was likely due to a brute-force password attack. The firm found no evidence of malicious activity on, or compromise of, any systems that led to the compromise of the account. 


Similarly, on January 9, 2024, the Securities and Exchange Commission’s (SEC) X account was compromised. Despite having an account verified by X, it was revealed that the SEC had not enabled two-factor authentication (2FA) on its account. An unidentified individual gained control over a phone number associated with the SEC’s account through a third party. This led to a fake post claiming that spot bitcoin ETFs had been approved by the regulator. The false announcement temporarily influenced the price of bitcoin. The SEC is currently working with law enforcement to investigate the hack.


Implementing MFA is a complex task that is not just specific to X as an application. The complexity lies in the fact that current MFA technologies demand app-specific protocol support, meticulous configuration, and ongoing management. Further complicating matters, each environment necessitates distinct identity and MFA systems, which often operate in isolation, adding layers to the challenge.


These incidents underscore the importance of not only implementing MFA but also continuously monitoring identity activity to ensure that an organization’s MFA policies are operating as intended in the real world. 


Identity Security Posture Management (ISPM) solutions such as AuthMind can help in this area by creating a live map of users, devices, applications, and services and their related access flows across the enterprise. This live map can then expose MFA misconfigurations such as:

  • Applications that being accessed with no MFA controls in place, similar to the recent incidents with X
  • Applications where MFA is being bypassed because the end-user has access via local account
  • Access where MFA is not enforced due to session token duration issues, such as when access to a sensitive application should require MFA every 8 hours, but it doesn't due to default configurations of other systems
  • Applications where step-up MFA access to sensitive actions within an application is not functioning as expected

In conclusion, the recent incidents involving the SEC and others highlight the complexities and challenges of implementing and managing MFA. It’s clear that MFA is not a set-it-and-forget-it solution. Continuous monitoring and management are crucial to ensure that MFA policies operate as intended and that organizations are truly secure.


ISPM solutions like AuthMind provide valuable assistance in this area, enabling a proactive approach to MFA management that can help prevent security incidents and protect organizations from the ever-evolving landscape of cyber threats. Remember, in today’s digital world, effective cybersecurity is not just about implementing the right tools but also about continuously monitoring and managing them.