Passwordless MFA Everywhere

Killing two birds with one stone: How our MFA-everywhere halts attacks and hides vulnerabilities

Published January 09, 2023 by Amir Frankel

*Don’t worry: no birds were harmed in the writing of this post!

Almost all organizations use some form of multi factor authentication (MFA) to protect access to SaaS applications. And it’s easy to see why: MFA stops most cloud identity thefts. This is because attackers, even if they manage to steal a password, rarely have access to additional forms of authentication such as smartphones (to approve a push notification) or biometrics (for fingerprints or facial ID). But taking the stopping power of MFA to everything that is not pure SaaS is difficult.

The problem with MFA (providers)

Current MFA solutions are great for SaaS applications but have 2 huge drawbacks when it comes to real defense from attacks that are happening every day:

  1. Only a few protocols used in on-premises and IaaS environments can really have MFA associated with them, such as RDP or SSH, which can only be accomplished by a few vendors through great efforts. Plus, these protocols that “can be MFA-ed" generally make up only 1-2% of all connections in an organization’s network, leaving ~99% of all potential access unguarded by MFA.
  1. If there is a vulnerability on the few protocols that are “protected” with MFA, the attacker only needs an open port to take control of the target machine – without even needing authentication. For example, RDP has a vulnerability every few months and if not patched, an attacker can take control of the target machine even if it has “MFA protection.”

All in all, the fact remains that the amazing stopping power of MFA is underutilized in most enterprise environments.

The Zero Networks approach to MFA

In order to unleash the full stopping power of MFA to everything, Zero Networks takes a simple and elegant approach to the problem: How can we make sure that MFA is relevant for all applications and that vulnerabilities can’t bypass it?

Simple (after hearing it): Tie the MFA to the network layer, becoming agnostic to the protocol, application, or operating system, as well as denying attackers access to vulnerabilities in the organization. The network port of the application remains closed by default and only opens temporarily after MFA.

Now, 100% of potential access can have MFA associated to it without any vulnerabilities that an attacker can use to spread inside the organization – a tactic many Ransomware attack groups use before triggering the encryption and ransom message.

Book a demo to see this live here.