Multi-factor authentication (MFA) has acquired the mantle of being one of the most common security best practices recommended to enterprises. However, while it is a useful first line of defense, the recent rash of successful identity-based attacks seen in 2022 has shown that implementing MFA alone does not make enterprises infallible.
In fact, the MFA system largely relies on human behavior and decision-making – vectors that can open up enterprises to various paths of attack. Since MFA is only as strong as its weakest link, it depends on the cyber resilience of the individual using it.
This blog post discusses why MFA has become a common target for attack, the array of identity-based attacks in use today by attackers, and what the future of security for the identity surface looks like for enterprises going into 2023.
The Nature of MFA & Why It’s a Target
All forms of MFA share a common denominator – human users making decisions based on their own level of cybersecurity understanding. Threat actors capitalize on this element by employing social engineering tactics and malware to manipulate users into giving up their legitimate access.
MFA fatigue in particular has plagued enterprises in 2022. MFA fatigue works by flooding a user’s authentication app and device until they acquiesce to the deluge of push notifications. The attack path of this tactic usually follows these steps:
- Through a separate tactic, usually phishing, the threat actors obtains legitimate credentials of the user they are targeting.
- The actor then uses the credentials to log into the target’s account, thus triggering the push notification for MFA. This step is repeated multiple times in succession.
- The targeted user receives all of the push notifications on their app and device again and again. Sometimes, the attacker will pose as a member of the IT department and encourage them to accept the access attempt.
- Eventually, the user will accept the access either by mistake or to stop the flood of notifications, giving the attacker access to the rest of the account.
Other than overcoming the human element of the MFA system, the nature of how it is implemented also contributes to its fallibility. Security measures are only as effective as the scope of their implementation. Poorly-implemented MFA can be bypassed and anything less than 100% perfect implementation of MFA across all users of a system can be counted as a way in for opportunistic attackers.
Security researchers have identified numerous ways that MFA can be abused or bypassed, particularly when only a 2FA code is used, including
- Manipulating the response from “false” to “true”
- Manipulating the Status code to bypass 2FA
- Checking to see if the 2FA code is leaked in the response
- Reusing 2FA codes
- Brute forcing 2FA code
- Disabling 2FA by changing login credentials
- Bypassing 2FA with invalid access code
Current MFA Attacks in the Threat Landscape
Exploiting the element of human involvement in MFA defenses, cyber attackers are starting to dodge MFA controls through a variety of techniques.
- Attacker-In-the-Middle (AiTM) attacks – AiTM attacks take place between two communication hosts where an attacker manipulates the exchange of data happening. Both hosts believe they are communicating with the other but, in reality, the third-party attacker has intercepted the messages and controls the entire exchange. Attackers gain sensitive personal information such as account details, logins, and more through this kind of attack.
- SIM-swapping attacks – A technique frequently used for bypassing MFA, scammers first pose as the victim and request the victim’s telecoms provider to change out the existing SIM card to one that is controlled by the scammer. Once the SIM is swapped out, all of the victim’s calls and messages are received by the scammer; this of course including any MFA codes provided by an SMS-based MFA process.
- Pass-the-Cookie attacks – In this type of attack, a threat actor steals an authentication or session cookie which is stored by a web browser when a user logs into a web-based resource. This stolen cookie is then injected into a new web session to trick the browser that the same user is present and therefore bypasses the need to have the user prove their identity again in the new session. Pass-the-cookie attacks exploit the fact that many applications save cookies do not expire or only do so once a user logs out of the service.
Resistance to MFA Adoption
Despite the issues, it’s important to recognize that MFA is still an important part of a deeper defence strategy. Organizations that don’t deploy MFA are leaving the front door wide open.
Despite MFA being available for decades and highly recommended by cybersecurity experts, many small to medium businesses (SMBs) still have not made the move to require MFA from their employees and customers.
Efforts to implement MFA across a company can be susceptible to user resistance, with concerns that MFA might hinder how employees access their tools or may add more work for clients trying to access their data.
The following statistics from the Global Small Business MFA Study shed light on the levels of adoption in the SMB community today:
- 54% of SMBs said they do not use MFA to secure their employee’s information
- 55% of SMBs are not very aware of MFA and its security benefits
- 20% of SMBs do not have employee training on the use of MFA
- 20% of SMBs cite “inconvenient to use” as a reason for resisting MFA
What’s Next In Identity Protection for Enterprises?
While MFA is no silver bullet for stopping identity-based cyberattacks, it is still capable of preventing a good number of account takeover attempts. To stay ahead of threat actors though, enterprises will need to implement additional levels of protection to augment their MFA technology.
After MFA-centric attacks have garnered such attention in the past few years, the U.S. government this year mandated all federal agencies to implement phishing-resistant MFA. This type of MFA leaves behind one-time passwords (OPTs), SMS text messages, and push notifications completely.
Instead, the MFA process is based on a FIDO2 (Fast Identity Online) network, allowing users to access their resources using fingerprints and cameras, for example. As FIDO2 authentication uses cryptographic login credentials unique to every website, they never leave the user’s device nor are they ever stored on a server. This model eliminates the risks of phishing as well as various forms of replay attacks and password theft.
Enterprises can also make their MFA less phishable by:
- Adding more information and context to user logins. Rather than just having MFA prompt simple ‘accept’ or ‘deny’ to authenticate, details such as global ID, device location, and device name can be added.
- Having MFA solutions tied to specific URLs, hosts, and devices to prevent direct access to the resource in case of an AiTM attack.
- Ensuring the MFA solution requires a rigorous reset and recovery process and that session cookies, security tokens, and seed values are set to expire in less than 24 hours.
For organizations unable to implement phishing-resistant MFA, CISA has recommended the use of number matching as a defense tactic against attacks such as MFA fatigue. Number matching works by forcing the person initiating a login to enter numbers from the platform into an Authenticator app to approve the request for access.
Under normal circumstances, users initiating a login enter the numbers generated on the login page and complete authentication on a mobile device. In an MFA fatigue attack, the login is initiated by the attacker, meaning the numbers are visible only to the attacker and not the legitimate user. Consequently, the user cannot inadvertently grant access to the attacker through the MFA push notification.
Spamming may still occur, but number matching prevents legitimate users from giving in to the attack. In their directive, CISA notes that number matching is best used as an interim solution as it is not as strong as phishing-resistant MFA.
Outside of simply implementing MFA, the key to building a strong defense for the identity surface lies in recognizing the connection that links identity and security. Attacks reported in 2022 have shown the risks enterprises take when gaps in the identity protection strategy are left up to MFA alone.
While strong cybersecurity strategies include identity-based security tools such as identity and access management (IAM) and privileged access management (PAM), these are just the starting point of establishing identity-based protection in the long term.
Modern and innovative identity management tools will work in line with robust cybersecurity platforms like an Extended Detection and Response (XDR) to protect digital identities as well as the systems that manage them. A combination of both reduces the overall identity attack surface as it limits an enterprise’s exposure to attacks while constantly monitoring for signs of common and novel identity-based vectors.