For years, cyber security experts have recommended augmenting usernames and passwords with multi-factor authentication (MFA) to add an additional layer of security for access control. By adopting an “MFA Everywhere” approach, organizations can establish a deterrent and ultimately minimize the risk of lateral movement of threat actors across networks. Many seem to have adopted this best practice. In fact, a recent study by Javelin Strategy & Research found that reliance on passwords declined from 56 percent to 47 percent over the past year, as organizations increased their adoption of both traditional MFA and strong authentication. Unfortunately, over the last few weeks MFA made negative headlines when major media outlets like ZDNet and Forbes reported it had been “defeated”, raising questions among both adopters and those considering its implementation about its effectiveness.
Forrester Research has estimated that despite increasing cyber security budgets, 80 percent of security breaches involve weak, default, stolen, or otherwise compromised privileged credentials. As a result, MFA is considered one of the primary defenses against identity-based cyber-attacks. However, in September 2019 the Cyber Division of the Federal Bureau of Investigation (FBI) issued a private industry notification (PIN), warning businesses that cyber actors were circumventing MFA through common social engineering and technical attacks. The FBI specifically warned about SIM swapping, flaws in online pages handling MFA operations, and the use of tools like NecroBrowser and Murean that work in tandem to automate phishing schemes.
Let’s Not Panic
While many media outlets pointed to these findings as evidence of the demise of MFA, the FBI made it very clear that its alert should be taken as a pre-caution rather than questioning the viability of MFA. The attacks cited by the FBI are still very much an exception and have not been automated at scale to become part of cyber-attackers’ threat arsenal. Microsoft even stated that attacks that bypass MFA are so uncommon that they currently can’t be captured in any statistics.
The FBI came to the same conclusion, as its PIN states that “Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these [social engineering] attacks.” Furthermore, organizations should not push the panic button, but rather educate users and administrators on how to identify social engineering techniques, recognize fake websites, not click on links in rogue emails or block them entirely.
Not All Authenticators Are Equally Vulnerable
When it comes to MFA methods, organizations have a wealth of choices but should realize that there is no “one-fits-all” approach. Instead, they should select alternatives that are best aligned with their use cases and introduce the least friction for users in order to assure broad adoption. In light of the FBI warning, organizations should recognize that not all authenticators are equally vulnerable to the mechanisms used to break the trust chain, which range from simple guesswork to coercion. Here is a summary of common MFA mechanisms:
• Security Questions – One or more security questions can be used as the simplest form of authentication using something the user knows. However, in many cases LinkedIn or Facebook pages can provide threat actors with the information necessary to guess answers to standard security questions; for example, birthplace or name of a pet.
• One-Time-Passcodes – One-time-passcodes delivered via email or SMS message can be used as a second factor for authentication purposes. However it’s been well documented that SMS-transmitted one-time password tokens (OTPs) are vulnerable to interception (e.g., SIM-swap or mobile number port-out scams). That’s why the National Institute of Standards and Technologies (NIST) in its Special Publication 800-63 Guidelines recommends restricting the use of SMS for an OTP and advises to completely avoid OTP via email. The weaknesses that OTP represents was also illustrated by last year’s Reddit hack.
• OATH Tokens – An OATH token is a secure one-time-password that can be used for two-factor authentication and is typically sent to a device as a one-time-password. Bypass would require the user’s secret be stolen at the time of registration, using a person-in-the-middle attack or a breach of the database in which the secrets are stored.
• FIDO U2F Security Keys – FIDO U2F Security Keys represent a very simple to deploy option that also provides the highest security assurance when combined with the user’s password. The only way to bypass this method is by shoulder surfing the PIN and stealing the token, which becomes very difficult if the biometric option is enabled.
• Smart Cards – Smart Cards can also be used for authentication and provide a level of assurance once validated and verified against an organization’s corporate directory. The only way to bypass this method lies in shoulder surfing the PIN and stealing the smart card, which becomes very difficult if the biometric option is enabled.
Industry and regulatory standards such as PCI DSS, NIST 800-63, PSD2, and GDPR all require security controls that provide higher assurance levels, such as authentication that is based on proof of possession of a cryptographic key using a cryptographic protocol. The benefits provided by level-3 compliant authentication methods have been demonstrated by Google. According to the company, its more than 85,000 employees have not been victimized by a significant phishing attack since the use of hardware-based, cryptographic authenticators was implemented.
It’s become evident that threat actors are no longer “hacking in” to carry out data breaches. Instead, they are simply logging in by exploiting weak, stolen, or otherwise compromised credentials. MFA remains the most reliable option for augmenting an organization’s existing access controls. Replacing and/or supplementing username and password authentication with MFA significantly increases the bar and costs for carrying out cyber-attacks, which is why its rate of compromise is close to zero.