It’s Time to Rethink MFA
The UK government has launched new, stricter cyber security measures designed in
response to the growth of ransomware attacks. These measures have been designed to protect essential government departments from cyber threats. Still, they are a clear message to organisations that it’s time to be proactive and put cybersecurity first.
Alongside these security measures comes the release of new services from the National Cyber Security Centre (NSCR) to boost awareness of cyber threats populating the landscape. However, whilst these appear to be a step in the right direction, they offer misleading and inaccurate advice ranging from longer and ‘stronger’ passwords and traditional multi-factor authentication (MFA). Attackers bypass these defences at scale, ultimately providing minimal benefit to cyber protection.
The main issue with these ‘defences’ is that they leave the front door open for cyber attackers to enter systems and networks. The reliance on traditional MFA, once considered best practice, is now woefully inadequate in protecting against the threats that exist right now. They are a clear and present threat that must be addressed.
It seems a painfully regular occurrence that a large organisation falls victim to a cyber
attack. The landscape is littered with attacks that leverage previously stolen passwords, and as Twilio and Uber exhibit, criminals can now easily bypass legacy forms of MFA to gain illicit access. Once they can access the network’s front door, the rest is free space to steal data or upload ransomware. Now becoming white noise, these attacks should be ringing alarm bells for any organisation relying on this antiquated technology.
Understanding the vulnerabilities of traditional MFA
Cyberattacks are rarely sophisticated. Instead, attackers use simple phishing and social engineering methods to extract information from their targets ranging from passwords and security questions to one-time codes. Accessing these gives attackers the key to bypass legacy MFA accessibility controls and enter an organisation’s systems.
Traditional MFA that relies on these one-time passwords often sends the codes via insecure channels, including email and SMS. These provide an opportunity for adversaries to intercept using attack-in-the-middle techniques, giving them access to the passwords, MFA codes, and login credentials needed to gain access to systems. Because of this antiquated authentication process, it’s impossible to know whether the person logging in is the actual user or the attacker in disguise.
Another technique that attackers use to bypass legacy MFA authentication is through ‘prompt bombing’. Based on mobile push notifications, attackers will attempt access to the account to trigger an MFA verification request. They will do this repeatedly, aiming to frustrate and exhaust a user into approving the login – giving away access unwittingly but willingly.
Forcing frustration and exhaustion onto users is the basis of what is known as MFA fatigue attacks and is an effective way to bypass legacy authentication technologies. This form of attack is growing in popularity amongst the cyber criminal underbelly, with research showing that these MFA fatigue attacks happened to 55% of user bank accounts that had MFA enabled, 54% of Facebook accounts and 47% of Instagram accounts. And while fatigue attacks are less common for Apple ID accounts (19%) and PayPal accounts (13%), only 19% of users had enabled MFA on these accounts.
To prevent exhaustion, many users enable apps and browsers to save passwords with the intention of auto-filling as needed. In fact, in the research, 80% of users admitted to using password autofill tools with at least one account, which ultimately undermines account security.
Phishing resistance is a desperately needed upgrade
Not all MFA is created equal. Weak MFA – those that rely on passwords, one-time codes, SMS push notifications or magic links which can be phished, are, however. Organisations using these should be looking for an upgrade to their systems that fits in with their existing architecture and removes the burden from the user, as a matter of urgency.
This is where the implementation of passwordless and phishing-resistant solutions that use cryptographic FIDO passkeys, and in-built secure identity validation features like facial recognition, fingerprints, or local PIN codes, come into play. Modern MFA must also include what is known as verifier impersonation protections. This means that not only are credentials based on cryptographic passkeys and biometrics, but the agent answering an authentication request can cryptographically validate that the request is coming from an authorised domain. These techniques eliminate the whole class of password-based and adversary-in-the-middle attacks. With these strong authentication techniques, cybercriminals cannot easily bypass authentication like they can today with passwords and legacy MFA. Therefore, this technology can eliminate the most significant cause of data breaches, all whilst unburdening users with the frustration and exhaustion that comes with traditional MFA that drives many into the unsafe arms of auto-filled passwords.
With a phishing-resistant and passwordless MFA that links the user’s identity to the device and implements biometric authentication to verify users frictionlessly, organisations have a tool in their arsenal designed to protect against these threats in mind. By upgrading to this technology, companies can better protect their customers, their users, and themselves from those that would otherwise do them harm. This move can go a long way in preventing cybercriminals from using their most popular weapon now and in the future – the front door key of compromised credentials.
Jasson Casey
Jasson is Chief Technology Officer at Beyond Identity. Before joining
the company, he held previous technical and executive roles, including
CTO of SecurityScorecard, VP of Engineering at IronNet Cybersecurity amd
Founder and Executive Director of Flowgrammable. Jasson received a
bachelor's degree in computer engineering from The University of Texas
at Austin and a PhD in computer engineering from Texas A&M University.