top of page
  • Writer's pictureChenyun Chu

Why Can't We Get MFA Right? Lessons from Recent SEC and Microsoft Incidents

Ever caught yourself shaking your head at the latest security breach headline, wondering why Multi-Factor Authentication (MFA) wasn't the knight in shining armor? You're in good company.


Take the recent SEC's X account compromise, for example. Despite the known benefits of MFA, "[SEC's] Monday's statement also said that due to difficulties accessing the account, SEC staff had asked X Support in June of 2023 to disable MFA, which can offer added protection against unauthorized access."


Then there's the high-drama that Microsoft was hacked by the Russian Foreign Intelligence Service hacking group. And the initial entry? "When Microsoft first disclosed the breach, many wondered whether MFA was enabled on this test account and how a test legacy account would have enough privileges to spread laterally to other accounts in the organization. Microsoft has now confirmed that MFA was not enabled for that account, allowing the threat actors to access Microsoft's systems once they brute-forced the correct password."


You'd think by now, hasn't "Enable MFA" been cybersecurity best practice 101? Yes you are right. Actually I found out my old Microsoft t-shirt, which says: "Your password doesn't matter. Enable MFA".




Then It begs the question: if "Enable MFA" is cybersecurity's golden rule, why does it seem so elusive?


MFA: Not as Easy as Pie

It's tempting to point fingers, assuming someone in the security team "simply dropped the ball." But having been on the inside track with the Microsoft security team, I can attest to the unwavering commitment and expertise of these professionals. The issue isn't negligence; it's the daunting complexity of modern IT environments, brimming with DevOps intricacies and tangled dependencies, that makes comprehensive MFA implementation a formidable challenge.


It is not that easy to discover all the potential login/authentication entries. There is no magic switch that when flipping it, every login/authentication would then require MFA.


Discovery Is Key:

We recently helped a mid-sized insurance company to manage its attack surface. They had the front door locked tight with MFA for their VPN login, but little did they know about this back window left ajar. In one of their test servers, we found a login entry looks like:



Given the fact the login has an expired SSL certification, how likely it would have MFA enabled?


Bridging the visibility gap with C2SEC's XSPM Platform


Addressing this challenge requires a sophisticated approach that goes beyond traditional security measures. C2SEC's Extended Security Posture Management (XSPM) platform is designed to tackle this issue head-on. By aggregating and analyzing various data points, the platform aids in uncovering all potential login and authentication entries. And then collaborating closely with security teams, C2SEC's XSPM facilitates the consolidation of these entries and ensures the comprehensive enablement of MFA across the board.


The narrative that failures in cybersecurity are due to individual negligence or incompetence is overly simplistic and often inaccurate. Even within highly skilled and dedicated teams, such as those at Microsoft, the complexity of IT environments can obscure critical vulnerabilities. The key to overcoming these challenges lies in enhanced discovery and visibility, coupled with the diligent application of foundational security practices like MFA, and the usage of sophisticated tools like C2SEC's XSPM platform.








30 views0 comments
bottom of page