Multi-factor authentication (MFA) is an effective way to strengthen the security of business information and technical infrastructures. But not all MFA is created equal, and outdated forms no longer suffice in today’s complex cybersecurity landscape. Malicious actors use sophisticated attacks to defeat rudimentary MFA methods and access critical business systems and valuable data.
The pandemic-driven growth of distributed workforces expanded this doorway and intensified attacks such as phishing and credential-stuffing. The 2021 Data Breach Investigations Report by Verizon states that 61 percent of breaches involved credentials, and 25 percent included stolen credentials last year. The report went so far as to refer to credentials as “the glazed donut of data types” because hackers find them so irresistible.
Given time, outdated MFA methods can and will translate into successful breaches for any organization that relies on them. Here are four of the most significant dangers that can arise in such a scenario.
Danger #1: Mismanaged and Stolen Passwords
Most traditional MFA methods include passwords, which can easily be compromised. People tend to forget passwords and often reuse the same ones. They create weak passwords for the sake of having something easy to remember. They store passwords in an unprotected document or app for easy reference. They sometimes share their passwords with colleagues to facilitate collaboration.
Even if a user creates a strong password and never shares it, a keylogger or screen-scraper malware can still collect it when it is typed and deliver it to malicious actors over the internet. The compounded risk is vast, and it’s the reason why government agencies such as the National Institute of Standards and Technology (NIST) and the FBI frequently warn against outdated MFA approaches.
Danger #2: Layered Verification Vulnerabilities
Providing increased security layered beyond the password
level, two-factor authentication (2FA) requires users to authenticate their
identities with a token-based approach or through a separate communication channel.
level, two-factor authentication (2FA) requires users to authenticate their
identities with a token-based approach or through a separate communication channel.
Authentication factors include knowledge (the answers to challenge questions), possession (a one-time password from an owned device), or inherence (a personal attribute such as a fingerprint or distinct style of typing). These factors are often referred to respectively as “what you know,” “what you have,” and “what you are.”
A common example: following a successful password challenge, the server generates another credential, such as a temporary code or additional password, and sends it to the requesting device. All one-time passcodes associated with a password constitute a shared secret or ‘symmetric’ secret and are susceptible to being discovered.
Out-of-band (OOB) authentication is a type of 2FA that requires two different communication channels: typically, the user’s internet
connection and a phone call. Although such approaches complicate standard attacks, attackers can still often port a phone number to a device they control and gain access to OTPs via techniques such as SIM-swapping. This proved successful during an attack on Twitter founder Jack Dorsey, in which the attacker was able to cajole a mobile phone carrier into transferring Dorsey’s account-based phone number to a fraudulent SIM card.
connection and a phone call. Although such approaches complicate standard attacks, attackers can still often port a phone number to a device they control and gain access to OTPs via techniques such as SIM-swapping. This proved successful during an attack on Twitter founder Jack Dorsey, in which the attacker was able to cajole a mobile phone carrier into transferring Dorsey’s account-based phone number to a fraudulent SIM card.
2FA places the burden of security squarely on the shoulders of the user--and too often, compromises efficacy by adding cumbersome user
steps. The bottom line is that such insufficient MFA is almost as vulnerable to today’s cybercriminals as passwords used to be.
steps. The bottom line is that such insufficient MFA is almost as vulnerable to today’s cybercriminals as passwords used to be.
Danger #3: Social Engineering Trickery
Social engineering — the process of persuading employees
into taking action based on a false account or emotion-driven request — has always been a versatile tool in the hacker’s kit and offers a straightforward way to defeat outdated MFA. In fact, today’s clever malicious actors often find it easier than ever due to remote workforces and related IT policies and processes.
into taking action based on a false account or emotion-driven request — has always been a versatile tool in the hacker’s kit and offers a straightforward way to defeat outdated MFA. In fact, today’s clever malicious actors often find it easier than ever due to remote workforces and related IT policies and processes.
Through social engineering, hackers can obtain access to
sensitive information such as employee credentials, customer and employee personally identifiable information (PII), financial accounts, and private conversations. They can deceive employees into wiring money to accounts that appear to belong to suppliers or other partners but are really controlled by cybercriminals.
sensitive information such as employee credentials, customer and employee personally identifiable information (PII), financial accounts, and private conversations. They can deceive employees into wiring money to accounts that appear to belong to suppliers or other partners but are really controlled by cybercriminals.
They can also trick users into downloading malicious apps
with screen recording capabilities. In March 2020, cybercriminals did just this with the TrickBot trojan. TrickBot could record screens and see push notifications and text messages containing one-time passwords. SMS-based one-time passwords have been deprecated as a form of MFA by NIST.
with screen recording capabilities. In March 2020, cybercriminals did just this with the TrickBot trojan. TrickBot could record screens and see push notifications and text messages containing one-time passwords. SMS-based one-time passwords have been deprecated as a form of MFA by NIST.
It’s clear that addressing social engineering will require a new, more rigorous approach to security.
Danger #4: Unprotected Machine Interactions
As ineffective as MFA is with respect to user-device
sessions, it provides absolutely no protection for machine-to-machine sessions that take place behind the company firewall. Yet strong authentication is clearly necessary to secure sessions between servers, applications, containers, IoT devices, and other network nodes.
sessions, it provides absolutely no protection for machine-to-machine sessions that take place behind the company firewall. Yet strong authentication is clearly necessary to secure sessions between servers, applications, containers, IoT devices, and other network nodes.
One of the most widely-deployed approaches to solving this problem lies in MFA based on public key infrastructure (PKI) using digital certificates. These certificates exchanged at the beginning of any session, authenticate the session participants’ identities in a rigorous fashion and ensure that only the right machines have access to that session.
However, PKI is a complex technology, and it becomes more complex in proportion to the total number of digital certificates. Realizing the intended outcome from a PKI deployment will require extensive expertise and the proper tools. Organizations that attempt a private implementation may find that better results would come via partnering with a trusted third party that specializes in PKI and digital Certificate Lifecycle Management.
The PKI Wake-Up Call
Due to the way PKI leverages both digital certificates and a sophisticated encryption process, it is arguably the best way to secure all digital transactions.
The encryption process works via a cryptographic key pair — one public key that is distributed openly and used to encrypt transmitted data, and a private key is required to decrypt that data once it’s received.
This process ensures that transmitted data cannot be read or leveraged even if it’s intercepted in some way. In contrast to a shared or ‘symmetric’ secret associated with one-time passcodes, PKI is based on an ‘asymmetric’ secret, of which the private key never gets shared.
Additionally, PKI-based certificates not only offer the strongest form of identity authentication and encryption but also simplify employees’ access to company resources. The users’ digital certificate keys are stored directly in their computers, laptops, or mobile phones, allowing the devices to authenticate without requiring any action from the users.
PKI is not the only identity solution for MFA, but it is a mature and robust technology able to handle the proliferation of digital identities at scale. It rigorously authenticates both users and machines, eliminates any dependence on passwords, and greatly reduces the total attack surface. For these reasons, PKI helps to establish a web of trust in the digital world.
By: Jason Soroko, CTO of PKI, Sectigo