In today’s threat landscape, where cyber attacks have emerged as a potent threat to individuals, businesses, and governments, cybercriminals have become adept at exploiting vulnerabilities and exposing and compromising systems. As organizations look to improve their cyber resilience, one of the first steps to effectively protect against cyber attacks is the implementation of robust authentication protocols.
Implementing strong authentication techniques can help organizations prevent unauthorized access to systems and protect sensitive information from falling into the wrong hands. As highlighted by the Cloud Security Alliance in a recent blog post, the adage “Attackers don’t hack, they log in” bears a great deal of truth. According to the 2022 Verizon Data Breach Investigations Report, the misuse of credentials was among the top causes of data breaches, highlighting the need for businesses to prioritize the implementation of strong authentication measures.
This post explains the need for strong authentication, outlines best practices, and highlights the primary security risks associated with authentication protocols and how to mitigate them.
What is Authentication?
Authentication is verifying the identity of a user or device before granting access to a system or network. It is typically achieved by requiring users to provide some form of identification, such as a username and password. However, given the well-documented problems users have in following password best practices, along with the fact that whether via a data leak, brute force or social engineering, a single factor authentication method such as a password can easily be stolen and used by others, organizations have in recent years realized the need for further authentication methods, widely referred to as MFA or multi-factor authentication.
Some MFA methods in common use today involve a biometric factor such as a fingerprint or facial recognition scan. Authenticator apps that generate unique, time-based codes and hardware USB keys are also becoming increasingly popular among security-conscious enterprises.
Why is Strong Authentication Important?
Strong authentication is crucial for protecting against cyber attacks, particularly those that rely on stolen credentials. As noted above, cybercriminals are adept at devising new ways to steal login credentials, whether through phishing emails, social engineering tactics, or brute-force attacks. Once they have obtained valid credentials, they can gain unrestricted access to a system or network, putting sensitive data and resources at risk.
Robust authentication protocols which add further layers of authentication, such as multi-factor authentication (MFA), can significantly reduce the risk of unauthorized access. Simply knowing or obtaining a user’s login credentials will not be sufficient to gain access when a biometric factor or other factor is required. MFA, when implemented with best practices in mind, is a simple but very effective countermeasure to one of the main routes of compromise in use by threat actors.
Best Practices for Strong Authentication
Implementing strong authentication protocols is a critical step in protecting against cyber attacks. Here are some best practices for ensuring strong authentication:
- Use Multi-Factor Authentication: As mentioned earlier, MFA is one of the most effective ways to protect against unauthorized access. Implementing MFA can greatly reduce the risk of stolen credentials.
- Enforce Strong Password Policies: Passwords are still one of the most common forms of authentication, so it’s important to ensure that users use strong passwords. Enforce password policies that require users to use complex passwords and encourage them to use password managers to store their passwords securely.
- Implement Biometric Authentication: Biometric authentication, such as fingerprint or facial recognition scans, can greatly enhance the security of authentication. These methods are much harder to replicate than passwords and can provide additional protection.
- Monitor and Analyze Authentication Logs: Monitoring authentication logs can help detect and prevent unauthorized access attempts. Analyzing authentication logs can also provide valuable insights into potential security vulnerabilities.
How Cyber Attackers Bypass MFA
Strong authentication is an essential part of good enterprise security, but alone it will not prevent determined and persistent attackers. As more organizations have understood the need for multi-factor authorization, threat actors have consequently sought ways to bypass or work around the associated technologies. Understanding both the strengths and weaknesses of MFA is an important part of managing this essential security measure.
Some forms of MFA require the user to approve access on another device or in an authenticator app and typically work by pushing notifications on the nominated device. If an attacker has already compromised the user’s credentials such as through a phishing attack, they can trigger the notification repeatedly in the hope that the user simply approves the request or that they approve the request mistakenly.
Many popular workplace applications that require authentication – think Slack or Teams, for example – work by placing session cookies on the user’s device after successful authentication. These cookies may have a session time limit measured in hours or days, and in some cases the application may use never-expiring cookie sessions.
If a threat actor is able to steal valid session cookies from a device, they may be able to log in as the user on another device without authentication. Session cookie theft is a primary objective of infostealers and other malware, and was implicated in the breach of CircleCI in early 2023.
In Adversary-in-the-Middle (AiTM) (aka Man-in-the-middle (MiTM)) attacks, threat actors intercept the communication between a user and a system. By inserting a proxy server between the user and the system, attackers can gather the user’s credentials and steal the session cookie returned by the authentication system.
AiTM attacks typically begin with a phishing email sent to the target that contains a link to a phishing server posing as the legitimate service the user intends to log into. The user enters their credentials into the proxy server, which then forwards the communication to the legitimate server. The server’s response is also captured by the attacker, who now has all the information from both the user and the system to complete the authentication process.
SIM swapping exploits the process by which cell phone providers assign numbers to new devices. Threat actors pose as the victim to convince a provider to reassign the number from the victim’s SIM card to one controlled by the attacker. This allows the attacker to intercept authentication codes and other 2FA messages sent to the user.
SIM swapping was used effectively in a number of breaches throughout 2022 attributed to the Lapsus$ group.
How to Defend Against MFA Bypass Attacks
It is likely that threat actors will continue to innovate and devise new MFA bypass attacks, but the following best practices can help mitigate the risks associated with known bypasses today:
- Limit or disable MFA push notifications
- Ensure session cookies expire at shorter intervals
- Use at least one form of biometric authentication
- Consider using hardware keys for maximum security
In addition, enterprises can fortify their identity surfaces and protect credentials with ITDR (Identity Threat Detection and Response) tools that can proactively detect and prevent identity-based threats.
Strong authentication protocols are crucial for protecting against cyber attacks. Implementing strong authentication measures, such as MFA with biometric authentication, can greatly reduce the risk of unauthorized access and protect sensitive data and resources.
By following best practices for strong authentication, businesses and individuals can fortify their digital defenses and defend against the ever-present threat of cyber attacks.