5 Years after Magento became a major target for attacks, Adobe is finally enforcing Multi-Factor Authentication (MFA) for all administration access to the web based content management portal. Better late than never!
Over the past 5 years, Magento was used in the majority of all post breach investigations conducted by 3B Data Security, where the initial point of intrusion was a compromise of the user credentials (normally through brute-force) to access the administration panel where a malicious change was made or code was added. So this is nothing new, and has been widely reported as an attack method for years. So why has it taken Adobe so long to act?
Some versions of Magento have included the facilities MFA for several years yet few users (merchants or developers) have implemented the functionality. And for those versions that did not have MFA built in, there were plenty of third-party plug-ins on the Magento Downloads Portal. This all seems strange given that MFA is a PCI DSS requirement (PCI DSS Requirement 8.3), yet many environments (not just Magento) continue to fail to implement this simple and highly effective control.
MFA consists of a combination of (2 or more);
- Something you know (e.g a Password or PIN)
- Something you have (e.g Access card or One-time key)
- Something you are (e.g Biometrics)
Applications such as Google Authenticator are a great, inexpensive, way to introduce MFA into your environment, proving a user with a one-time pass key to enter in addition to their password.
If you would like any advice on implementing the right MFA solution for your business please contact 3B Data Security.
Adobe has added two-factor authentication (2FA) via the Magento platform in response to the number of attacks where skimmer scripts are deployed on hacked ecommerce sites.