As multifactor authentication (MFA) becomes universally adopted, attackers are adapting their strategies to attack organizations.
MFA requires a combination of something you know, something you have, and something you are to authenticate to a platform. This is commonly implemented as a password (something you know) combined with a one-time code or push notification to an authenticator (something you have). Other common ways to incorporate a second factor to a password are biometric information (something you are) or hardware-based solutions like a Yubikey. Most MFA combinations are vulnerable to human-related security issues.
Battling MFA Fatigue
Attackers know that humans are the most vulnerable piece of the puzzle, and their techniques reflect that. Recently, attackers have been exploiting something known as MFA fatigue. This can occur when an organization has MFA push notifications enabled. Attackers will spam dozens of authentication requests to the user, which is annoying and prohibits them from using their device. A user may accept this dangerous authentication request as an accident or to stop the noise. After a malicious request is granted, the attacker has gained access to the network just like any other credential compromise.
Battling MFA fatigue involves implementing a technical control combined with user education.
Technical Control
Popular MFA providers like Microsoft Authenticator and DUO mobile have a setting that reduces the chances of an accidental button push to grant access as mitigation for this type of attack. This technique is called number matching. With number matching enabled, the authenticator app will show a two or three-digit number, which must be entered correctly when approving a login. Implementing this setting effectively reduces the risk of an accidental click and is considered best practice when using legacy MFA.
User Education
Education is key to combating MFA fatigue. The following are key messages all users should understand:
- Denying an authentication attempt will not lock the account or restrict privileges.
- MFA push requests should only happen when they are logging into a service.
- Never authenticate for someone else.
- Incessant push requests indicate a password compromise.
- If they believe they are being targeted in an MFA attack, they should immediately inform the IT administrator and change their password.
Introducing Passwordless Authentication
Social engineering through phishing is effective at bypassing MFA systems. Threat actors posing as a coworker or other trustworthy figures have gotten users to hand over one-time passwords sent in a text or email.
Legacy MFA systems can potentially be susceptible to man-in-the-middle attacks. If a user clicks on a malicious link, malware can steal the authentication token to act as the authorized user.
While legacy MFA systems have flaws, an emerging standard seeks to remove the most vulnerable part of user authentication: the password.
Passwordless authentication uses public-key cryptography to authenticate users and their devices. The FIDO Alliance has produced an international standard for this type of authentication, which is used by technology giants Google, Microsoft, and Apple, among others. In a passwordless system, the device itself is authenticated to the service it seeks to access. A key pair is generated between the device and the application, and the key cryptographically proves that the device is trusted. On top of that, passwordless MFA systems take advantage of a biometric quality or a hardware key for authentication.
Combining a biometric identifier, like voice, fingerprint, or facial recognition, with a cryptographically secure authentication scheme creates phishing-resistant MFA.
As great as this may sound, implementing passwordless architecture or becoming FIDO compliant may be costly. If your organization develops its own application, certifying that a passwordless system is implemented correctly requires talented engineering and FIDO certification can be expensive. However, the cost is often justified as the organization would benefit from providing their staff and users with a safer authentication method to access systems and accounts.
Enrollment Attacks
MFA technology is only strong if the whole organization is correctly using it. Complete and successful enrollment is commonly overlooked, leaving organizations vulnerable. If MFA users haven’t finished registering their accounts, someone with those credentials can set up MFA first and steal a foothold in the network. If an attacker has captured the creds for an account that hasn’t been fully enrolled, the attacker can enroll that account and set up the MFA with their token and access. Here at SBS, we perform MFA inspection as a part of some of our red team engagements. We often find unenrolled accounts we can enroll once we have the password, showing customers that it is a simple yet effective attack strategy.
Securing accounts with elevated privileges, including service accounts, is especially important. Attackers want to take command of accounts with the highest privileges. Being stuck as a regular user can make an attacker’s job much more difficult, as they will be restricted by which tools they can use to attack the machine. Service accounts have higher privileges than a typical user and often are not monitored with the same scrutiny as regular user and administrator accounts. To secure these accounts with MFA, an administrator can use certificate authentication and set up conditional access policies to block logins from abnormal origins.
To summarize this section, if the enrollment setup for MFA isn’t complete, an attacker can take advantage. Failing to finish enrollment opens the door for anyone with credentials to gain a foothold into the network. If the most critical accounts in an organization aren’t secured with MFA, then the effort is pointless. Therefore, enrollment metrics should be monitored and strictly enforced across an organization.
Defense in Depth
Defending digital systems requires much more than simply implementing the newest security technology. Access to systems should be managed by a variety of controls layered on top of each other. This layered control technique, known as defense-in-depth, allows systems to benefit from different controls and technologies' overlapping protection capabilities.
These security practices can be layered to provide better security and reduce the risk to your systems.
- Policy-based controls - Ensure that the organization prioritizes a strong security posture and defense-in-depth principles.
- Location-based access controls – If you don’t have employees overseas, don’t allow access.
- Privilege-based access controls – Users should only be permitted to perform their job duties.
- Use a quality password manager – Securely generating and storing strong passwords is highly recommended.
- Strong network security controls - Monitor and limit malicious network behavior.
- Cybersecurity awareness training and testing – Education and practice of strong cybersecurity principles make employees and customers safer.
There is no single remedy for cybersecurity. It is essential to first understand your organizational risks and then appropriately allocate resources to mitigate the risks to an acceptable level. Passwordless MFA is a promising technology that can both improve security and user experience and is sure to become the standard in the next few years.
While using the newest technologies may not always make business sense, organizations can always rely on their comprehensive information security program that prioritizes a defense-in-depth strategy to protect their IT and digital assets.