How MFA Is Falling Short

Bibin Mohan

5 min read
How MFA Is Falling Short
Photo by Ed Hardie / Unsplash

Introduction

In today's digital landscape, where security is paramount, Multi-Factor Authentication (MFA) has long been considered the gold standard. However, recent events and the emergence of sophisticated attacks have exposed its vulnerabilities, underscoring the urgent need for a more robust security solution.

The Illusion of Security

For instance, in baseball, where being on base doesn't guarantee safety, MFA can create a deceptive sense of security. Attackers ruthlessly exploit This illusion by employing advanced techniques like phishing, vishing, and Man-In-The-Middle (MITM) attacks. The breach at Retool in August 2023, where multiple layers of security were effortlessly bypassed, serves as a stark reminder of these risks. Retool's breach was particularly alarming because attackers exploited multiple weaknesses to gain access to their systems, including vulnerabilities in VPN, SSO, and Google Authenticator.

Common MFA Weaknesses

Social Engineering is one of the easiest ways to bypass MFA by manipulating individuals. Attackers posing as trusted sources can trick employees into revealing OTPs or credentials. The breaches at Rockstar Games and MGM exemplify this tactic. For instance, attackers breached Rockstar Games by pretending to be IT support and convincing an employee to share their credentials.

Session Hijacking targets browsers and cookies. Once an attacker gains access to session cookies, they can hijack sessions even after MFA validation, as seen in the Cisco hack. Attackers used this method to compromise a Cisco employee's personal Google account, which had synced their Cisco credentials, allowing attackers to bypass MFA through a technique known as MFA fatigue.

MITM Attacks involve advanced phishing kits that create fake login pages capturing both credentials and session cookies, giving attackers complete access. The evolution of phishing-as-a-service platforms like "Tycoon 2FA" demonstrates the sophistication of these attacks. These kits use transparent reverse proxies to present real websites to victims while capturing their credentials and session cookies.

SIM Swapping involves tricking mobile carriers into hijacking phone numbers and intercepting SMS-based OTPs. This method was used in the notorious Lapsus$ attack on Microsoft. Attackers gather enough personal information to impersonate the victim with their mobile carrier and get a new SIM card issued, effectively taking over the victim's phone number.

MFA Fatigue involves overwhelming users with authentication requests until they accidentally approve one. This method was effectively used in the Uber hack. Attackers bombard the victim with multiple MFA requests, often at inconvenient times, until the victim, out of frustration or confusion, approves one of the requests.

The Path Forward: Enhancing MFA

Addressing the vulnerabilities of MFA with more robust and phishing-resistant methods is a critical step. One of the most effective solutions is adopting FIDO2 standards, which can significantly enhance security and user experience.

FIDO2 is an open standard for user authentication that aims to reduce reliance on passwords and enhance security. It consists of two key components: the WebAuthn standard, which defines an API for browsers to interact with authenticators, and the CTAP (Client to Authenticator Protocol), which enables communication between devices and external authenticators.

FIDO2 employs public key cryptography, ensuring that user credentials are never shared with service providers, thus mitigating the risk of phishing and MITM attacks. Here's how it works:

  1. Registration: A key pair is generated when a user registers with a service. The private key is stored securely on the user's device, while the public key is shared with the service provider.
  2. Authentication: When the user attempts to log in, the service provider sends a challenge to the user's device. The device signs this challenge with the private key, and the signed challenge is sent back to the service provider. The service provider verifies this signature with the stored public key.

The key benefits of FIDO2 include:

  • Phishing Resistance: Phishing attacks are ineffective because the private key never leaves the user's device and cannot be intercepted.
  • Passwordless Authentication: FIDO2 supports using biometrics (like fingerprints or facial recognition) or hardware tokens (like Yubikeys), eliminating the need for passwords.
  • Improved User Experience: Users no longer need to remember complex passwords or deal with the hassle of frequent password changes.

Device Trust ensures that devices are secure before they authenticate, preventing compromised devices from being used in attacks. Device trust tools can ensure that only secure, compliant devices can access sensitive systems.

Education and awareness are crucial and empowering tools for training employees to recognize and respond to social engineering attacks, thereby limiting the damage. Quick reporting and response were critical to mitigating the Reddit breach. Regular training sessions and simulated phishing attacks can help keep employees vigilant and confident in combatting these threats.

Password Managers can secure current credentials and support passkeys while transitioning to a passwordless future. Password managers can generate and store complex passwords, reducing the risk of password reuse and weak passwords.

Continuous Improvement involves regularly updating and patching systems and adopting new security measures to stay ahead of attackers. Reviewing and updating security policies and tools is essential to adapting to evolving threats.

Effective Transition to FIDO2

Transitioning to FIDO2 involves several key steps. Assessment and Planning involves evaluating current MFA systems and identifying areas of vulnerability. Based on this assessment, a high-level roadmap for integrating FIDO2 should cover the following -

Infrastructure Readiness ensures IT infrastructure supports FIDO2, which may involve upgrading hardware, software, and network systems.

Pilot Program involves implementing a pilot program with a small group of users to test FIDO2 integration. Feedback is gathered, and issues are addressed.

Comprehensive user training and education are vital components of the transition to FIDO2. This process not only familiarizes employees with the benefits of FIDO2 but also equips them with the necessary skills to use new authentication devices effectively.

Gradual Rollout involves gradually expanding the rollout to more users while continuously monitoring and optimizing the system.

Support and Troubleshooting provides robust support to address technical issues or user concerns during the transition.

Infrastructure Upgrades for FIDO2

Hardware Security Modules (HSMs) are crucial for securely storing and managing cryptographic keys. Ensure servers can handle FIDO2 protocols and integrate with existing systems by performing Server Upgrades.

Deploy Biometric Devices like fingerprint scanners or facial recognition cameras for added security. Updating or replacing outdated software is necessary to support FIDO2, including web browsers and operating systems through Software Updates.

Integrating FIDO2 into Identity and Access Management (IAM) Systems ensures seamless authentication processes. Network Security Enhancements are essential to protect against potential threats during and after the transition.

Choosing the Right HSMs

When selecting HSMs for FIDO2, Compatibility with your existing infrastructure is essential. Look for Security Features such as strong cryptographic capabilities, secure key management, and tamper resistance. Assess the Performance of the HSM to handle the required transaction volumes without latency. Ensure the HSM can Scale with your organization's growth and future security needs. Ensure Compliance with regulatory requirements and industry standards for security. Consider the level of Vendor Support and updates provided.

By evaluating these factors, organizations can select HSMs that provide robust security and efficient integration for FIDO2.

Conclusion

MFA remains a critical component of digital security, but it must evolve to address its shortcomings. By adopting phishing-resistant methods like FIDO2, ensuring device trust, and enhancing user education, organizations can better protect themselves against increasingly sophisticated attacks. The transition to FIDO2, though complex, offers a promising path to a more secure and user-friendly authentication future.

Read more