Passwords and authentication

The recent spate of phishing attacks against identity-based authentication shows the extent to which MFA defenses can crumble, even under unsophisticated tactics.

Cybersecurity professionals and authorities resoundingly agree MFA in any form is better than single-factor authentication, such as a username and password combo, but its strength resides on many variables, most of which are unattended to or unmet.

Configurations that depend on email, text messages or unmanaged devices that might contain malware create weaker methods of authentication. 

“As we have seen, cyber predators have found MFA workarounds,” said Ron Westfall, senior analyst and research director at Futurum Research. Too many organizations limit their use of MFA with these methods when stronger MFA controls can be achieved with cryptographic techniques, authentication apps and physical keys, he said.

MFA isn’t a panacea for cyber woes — just ask some purveyors of MFA services that have been targeted and beaten at their own game.

“MFA has been universally accepted as a secure design inclusion, and even before these types of attacks became common, the idea that MFA will solve authentication security forever without introducing other unknown risks is an illogical one,” Casey Ellis, founder and CTO at Bugcrowd, said via email.

Twilio’s widely-used two-factor authentication service was compromised in August after multiple employees were duped into providing their credentials to threat actors. 

The attack, part of a larger campaign that compromised at least 10,000 user credentials, spread to 163 Twilio customers, including Okta and Signal, and traveled downstream to many of their respective users’ credentials.

MFA wasn’t enough to stop attacks against Cisco or Uber, either.

MFA in its assorted schemes

The most broadly adopted systems of MFA rely on human behavior, which opens organizations to multiple paths for attack. 

Text messages, email, and one-time passwords are susceptible to adversary-in-the-middle attacks that allow threat actors to bypass MFA.

“Many organizations and users rely on phone numbers as digital identity devices for which they are not purpose-designed,” Westfall said.

“In the event of a stolen or compromised smartphone or device, an attacker can transfer the phone number and key data to themselves or a collaborator to receive the authentication requests — an avoid at all costs scenario,” Westfall said. 

Email- and text-based MFA should only be used when no alternatives are available, Jason Rebholz, CISO at Corvus Insurance, said via email.

“Not all forms of MFA are created equal,” Rebholz said. “The reality is that most MFA implementations do rely on human behavior and decision making. Hackers exploit this with new techniques like MFA prompt bombing, which aims to annoy the user into clicking ‘approve’ to make the prompts stop.”

Factors that increase MFA vulnerabilities

Human involvement, the first and foremost factor that imposes additional vulnerabilities on MFA, is often unavoidable.

“It can be argued in today’s threat landscape that while having any form of MFA is better than no MFA, text message and email-based MFA is considered broken,” Daniel Thanos, VP of Arctic Wolf Labs, said via email.

“These methods of MFA are vulnerable to exploitation of human behavior. And while they do make it more difficult for a threat actor to compromise an account, they can be bypassed via MFA fatigue and SIM-swapping techniques,” Thanos said.

It’s not so much that MFA is too reliant on human behavior, but rather that most forms of authentication inherently involve a human. 

“Without the human, MFA wouldn’t have context to exist in the first place,” Ellis said.

Ultimately, MFA is only as strong as the weakest link in the supply chain and the resilience of each individual using it. 

For example, “it would be somewhat pointless to use email-based MFA if your email itself does not have MFA,” Sounil Yu, CISO and head of research at JupiterOne, said via email.

MFA creates one barrier in the way of threat actors, but organizations that overburden this layer of defense can and will be reminded of its shortcomings the hard way.

“Every security innovation is eventually bypassed. MFA ups the game for attackers and makes it harder, but security is never done,” said Peter Firstbrook, research VP at Gartner. “We have to assume failure and prepare for these types of bypasses, rather than keep searching for the perfect authentication method.”

The Cybersecurity and Infrastructure Security Agency released its long-awaited, cross sector cybersecurity performance goals, in a bid to raise the security baselines. Far from esoteric, the efforts listed are meant to serve as a broadly-digestible roadmap to minimum operational security.

The 37 voluntary goals span the technical and the tactical, weighing the cost, complexity and impact of security initiatives. But they are not exhaustive and do not capture all that is required to protect critical infrastructure security. 

The goals "capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors,” CISA said.

CISA placed a premium on low cost, high impact security efforts, which accounts for more than 40% of the goals. 

Setting a minimum password strength, for example, can mitigate password spraying or credential stuffing. It's a particularly important goal for those organizations without multifactor authentication or the ability to defend brute-force attacks. 

Password-related policies are also entry-level security initiatives, albeit ones that can have a large impact. CISA also highlighted the need to fill leadership gaps by appointing organizational cybersecurity leadership, someone who can make implementing other goals more realistic.

CISA categorizes just three initiatives as high cost, high impact and highly complex: prohibiting the connection of unauthorized devices; third-party validation of the effectiveness of cyber controls; and network segmentation.

The agency plans to reevaluate the goals throughout the year, taking industry input into consideration for potential changes. Explore the 37 goals below. 

Phishing remained the top initial access vector for security incidents last year with more than 2 in 5 of all incidents involving phishing as the pathway to compromise, IBM research found.

Three in 5 of all phishing attacks were conducted through attachments last year, according to IBM Security X-Force’s annual threat intelligence report. Phishing via links accounted for one-third of all phishing attacks. 

One-quarter of attacks involved the exploitation of public-facing applications and 16% abused valid accounts for access. Just 1 in 10 involved external remote services. 

The consistent ranking of phishing as the most prevalent initial access vector underscores the need for organizations to focus on people, process and technology, according to Stephanie Carruthers, global head of innovation delivery and chief people hacker at IBM Security X-Force Red.

Phishing has enjoyed longstanding success as an initial access vector and attackers are constantly innovating their approach to keep phishing alive and thriving, Carruthers said.

“It only takes one person to click that link that could lead to a major compromise,” Carruthers said via email. “And it works because it’s simple and plays on human emotions. That’s a trifecta right there and that’s what’s providing staying power.”

The latest phishing tactics need to be shared with employees so they know what to look out for, such as phishing emails that are getting harder to spot.

Thread hijacking, which involves a threat actor hijacking an email account and responding to email threads pretending to be the original victim, doubled in 2022.

“What makes thread hijacking so dangerous is that attackers are hitting people when their defense is down, after that first level of trust has already been established,” Carruthers said.

The research highlights trends and points of compromise that played out in some of the most high-profile incidents of 2022.

Incidents involving identity access managers, such as Okta and Twilio, impacted many potential downstream victims and in one case they were intertwined when a phishing attack against Twilio exposed one-time passwords of multiple Okta customers.

The majority of penetration tests IBM Security X-Force Red ran for clients in 2022 revealed improper authentication or handling of credentials. Many organizations lacked visibility into applications and endpoints exposed through identity access management services, the report found.

The report is based on research data IBM Security X-Force gathered in incident response engagements throughout 2022, in addition to vulnerability and exploit databases and network and endpoint tracking.

Multifactor authentication can bear weaknesses that render its efficacy moot. A common response and answer to the most problematic forms of MFA, though the details are limited at best, is phishing-resistant MFA.

The qualifier, phishing resistant, is broadly defined as modes of authentication that rely on cryptographic techniques, such as an asymmetric pair of private and public keys, the Web Authentication API (WebAuthn) specification, biometrics or the FIDO2 standard. 

In practice, phishing-resistant MFA is about getting away from the use of one-time passcodes that are primarily sent via text message or email. 

Threat actors routinely evade these variants of MFA, which cybersecurity professionals describe as broken but still better than single-factor authentication.

“Phishing, by definition, requires user interaction. Therefore, MFA that minimizes or removes user interaction altogether are the most phishing resistant,” Sounil Yu, CISO and head of research at JupiterOne, said via email.

Advanced controls such as a device certificate that validates access on an authorized device, origin binding and hardware security keys can eliminate forms of phishing seen in other types of MFA, Yu said.

Taking people out of the authentication equation

While phishing-resistant MFA aims to avoid identity-based attacks, it’s important to note nothing in cybersecurity is foolproof. As such, organizations shouldn’t conflate resistance with infallibility. 

“Users will always be a key staple of an organization’s security, but they aren’t the only tool. Organizations that rely on users to prevent phishing attacks will fail,” Corvus Insurance CISO Jason Rebholz said via email.

Recent phishing attacks against Twilio, Cisco, Uber and others were ultimately successful because a human was involved and got duped by threat actors.

“The latest round of phishing attacks strengthens the business case for biometric safeguards, which are more difficult to bypass or manipulate in relation to email or text MFA steps,” said Ron Westfall, senior analyst and research director at Futurum Research. 

The many flavors of phishing-resistant MFA

Phishing-resistant MFA, like many modern cybersecurity practices, falls under the umbrella of zero-trust principles and architecture. 

Digital Identity Guidelines from the National Institute of Standards and Technology establishes three authenticator assurance levels. The highest level, AAL3, requires hardware-based keys with cryptographic protocols.

FIDO2 and WebAuthn authentication via hardware-based keys are among the most commonly cited forms of phishing-resistant MFA under level three.

Both standards aim to replace passwords via strong cryptography tied to an external authenticator such as a USB security key, a device in the user’s possession or credential management APIs. 

However, those outcomes must be configured and only work when the preferred standard for authentication is universally supported.

These more secure protocols require “tokens based solely on what a user has, instead of something they know,” Daniel Thanos, VP and head of Arctic Wolf Labs, said via email.

Other forms of phishing-resistant MFA include browsers that support biometric tokens or physical security keys, and authentication requests that are cryptographically signed and unique to the originating domain.

While authentication standards could be further refined, the reality is many organizations don’t implement MFA at all and this leaves them wide open to data breaches, Thanos said. 

Most organizations are at NIST’s authentication level one (password only), level two (MFA), or a mixture of both, Thanos said.

Every federal agency is required to use phishing-resistant MFA, following guidance from the Cybersecurity and Infrastructure Security Agency and NIST, by fiscal year 2024.

Phishing-resistant MFA doesn’t eliminate phishing, but it significantly increases hurdles for attackers, Rebholz said. 

Therein lies the more realistic goal for cybersecurity at large — every layer of protection could be the barrier that defends an organization against attack.

“Defenders cannot assume the identity system works perfectly at all times,” Peter Firstbrook, research VP at Gartner, said via email. “We have to assume failure and prepare for these types of bypasses, rather than keep searching for the perfect authentication method.”

If you use a computer, you probably already know this: Passwords are failing at protecting users. 

“Passwords as a security strategy are dead,” said David Maynor, senior director of threat intelligence with Cybrary. 

Passwords haven’t worked as a solid security strategy in a long time. Stolen credentials have long been a favorite attack vector for cybercriminals — they can get a lot of mileage out of a single password. 

You don’t have to be a malicious actor to see how easy it is to use a password beyond its intended use. Even advice columnists are getting questions about password sharing and the ability to access multiple accounts without permission. 

The use of passwords, however, is not the problem. It is the lack of protection around passwords themselves that leave them vulnerable.

The National Institute of Standards and Technology (NIST) created standards for password policy. There are password managers that are supposed to break users of their worst habit—reusing passwords.

But passwords continue to be misused, stolen and abused. The policies are there, so why are passwords security’s weak spot?

The NIST password standard

NIST Special Publication 800-63B Digital Identity Guidelines offers best practices for password lifecycle management, as well policy standards for other authentication methods. The guidelines for password management are straightforward: 

• Check passwords against breached password lists
• Block passwords contained in password dictionaries
• Prevent the use of repetitive or incremental passwords
• Disallow context-specific words as passwords
• Increase the length of passwords

Updates to the NIST framework have gotten rid of two old methods of password management: no more requirements to change passwords on a regular basis, which some believe is counterproductive; and no more complex passwords that must include a mix of upper and lower case letters, numbers, and symbols. 

“The NIST password guidelines should be the baseline within the bigger picture of digital identities and authentication lifecycle management,” said Timothy Morris, chief security advisor at Tanium.

NIST frameworks serve as a baseline for overall cybersecurity systems for many organizations. The guidelines have been downloaded more than 1.7 million times and 16 sectors within the critical infrastructure rely on the framework.

Password managers 

Not having to create new, unique passwords every 90 days is a relief, but the NIST guideline to prevent the use of repetitive passwords is still a burden. It’s impossible to remember dozens of different passwords, and users are often discouraged from writing down their passwords.

The solution for many is to use a password manager. 

“In a corporate environment, password managers not only enhance security but also optimize productivity,” said Teresa Rothaar, governance, risk, and compliance (GRC) analyst at Keeper Security.

Password managers allow IT administrators to control user password practices and enforce policies. 

“Meanwhile, help desk personnel aren’t bogged down with password-reset tickets, and employees aren’t stuck in holding patterns due to lost or forgotten passwords,” Rothaar said.

Password managers are gaining popularity, with 45% of organizations deploying a password management solution, according to a study from LastPass. 

While password managers can help security teams enforce policies, they open the organization to potential threats. Password managers are susceptible to the same types of vulnerabilities and risks as any other type of application, and they have been hacked and data compromised.

Just this year, LastPass suffered multiple cyber incidents, with the most recent announced this summer. 

Organizations using password manager solutions have to recognize potential vulnerabilities and take steps to protect their users. 

“So long as a password manager is zero-knowledge – meaning that even the vendor themselves cannot access the plain-text contents of end-user vaults – there is very little, if any, risk to the company if their password management vendor is breached,” said Rothaar. 

End users can also do their part by securing password vaults with strong master passwords and multifactor authentication (MFA), which dramatically reduces the risk of a breach.

Enforcing password policies

Having policies and having password management solutions can go a long way toward building a strong security program—as long as the policies are used and enforced. 

However, fewer than half, 44%,  of organizations provide their employees with guidance and best practices governing passwords and access management, according to Keeper’s 2022 U.S. Cybersecurity Census Report.

Nearly one-third allow employees to set and manage their own passwords – and admit that employees often share access to passwords.

But organizations are reaching a point of no return with passwords. The NIST framework doesn’t just recommend guidelines for password management, but for a variety of authentication methods, including biometrics and multifactor. 

“Time spent on enhancing password-based authentication is a wasted cost; instead, organizations should get out of password schemes as soon as possible and investigate alternatives,” said Maynor. 

Its time to recognize that password strategies are artifacts from a time before the world became digitally reliant. Password policies aren’t being enforced, so they aren’t effective in protecting the user.

Organizations should consider moving passwords into the background and look at other options designed to keep users, their identities and their data, more secure.

Business administrators that entrusted LastPass with their organization’s login credentials have some work to do to regain a defensive posture.

A monthslong cyberattack compromised most of the highly sensitive customer account data held by the password manager, with the exception of users’ master passwords, which LastPass said it doesn’t store or maintain. 

The exposure is broad and potentially ruinous for organizations that don’t take additional steps to protect against unauthorized enterprise account access.

Business administrators need to assess their organization’s risk across multiple components and heed the recommendations LastPass said it shared last week in a security bulletin with about 100,000 business customers.

Here’s the most high-level actions LastPass shared with its business customers in a top-down order to prioritize response (advice for individual customers can be viewed here):

Master Passwords

Usernames and master passwords, which create a unique encryption key, should be at least 12 characters long, according to LastPass. The longer the master password the better, particularly when all available character sets are used.

“Remember that length wins over complexity,” LastPass said.

Administrators should set policies that require:  

• A minimum character length
• Minimum character sets
• A change when reuse is detected
• And prohibit the use of previously used passwords

Security reporting in the admin console will identify users relying on weak or reused passwords, and organizations should consider forcing those users to reset their master passwords, LastPass said.

Critical credentials saved in shared folders accessed by users relying on a low iteration account, the number of rounds performed during the client-side encryption process, must be rotated. Businesses should set the recommended minimum of 600,000 iterations for all users.

LastPass said it will soon require all personal accounts to meet this standard and will notify business administrators before the change occurs.

Super admins

Users with privileged access —  super admin — should always maintain exceptionally strong master passwords and a high iteration count. Identify super admins using a weak password and rotate all critical credentials.

These accounts should only be set up for “break glass” situations that require special access and at least one super admin should maintain non-federated access.

Shared secrets

Businesses need to reset MFA secrets for all non-federated users who have enabled MFA access to their vaults and use authenticators from LastPass, Google, Microsoft or Grid.

This process will require users to login, verify location and go through the reenrollment process for MFA apps.

LastPass encourages users of Duo Security, Symantec VIP, RSA SecurID and SecureAuth to regenerate the shared secret for each MFA instance and enter the shared secret into the respective MFA app configuration in the admin console.

SIEM Splunk integration

Customers that use the SIEM Splunk integration must reset their instance token. LastPass said it will invalidate these tokens for all customers that don’t take this action on April 30.

Unencrypted data exposure

Businesses should run security reports in the admin console to see all URLs that might have been exposed, and communicate to employees the risk this poses for credential stuffing, phishing and social engineering attacks.

What else?

LastPass encourages businesses to run a weak security report to identify users with a weak security score and prompt those users to change those passwords in their vault. Administrators should also enable the control dark web monitoring policy.

Business customers should conduct an ongoing risk assessment and governance of shared folders, especially those containing sensitive access information for third-party services.

These folders should only be shared with users that have strong master passwords, high iteration counts and require specific access on the principle of least privilege.

Multifactor authentication is widely regarded as a must-have among cybersecurity professionals and authorities, but it’s not always a quick fix.

Threat actors can still evade and even exploit MFA via phishing or social engineering attacks, as evidenced by the persistent and widespread text-message phishing campaign dubbed Oktapus or Scatter Swine.

Technology companies, telecommunications providers and organizations or individuals linked to cryptocurrency have been targeted since the attacks began in March. The adversary compromised almost 10,000 user credentials across 136 organizations, according to Group-IB, sometimes targeting employees at specific companies once access was gained directly or via third-party vendors.

MFA was weaponized by cybercriminals with social engineering attacks that duped employees into sharing credentials.

“Ultimately, MFA is one small piece of a larger strategy. Relying on MFA alone will not protect your organization from all attacks,” Allie Mellen, senior analyst at Forrester, said via email.

The problem isn’t so much MFA, but rather how organizations implement it. The protective measures of MFA are weakened when organizations fail to buttress it with compensating protective controls and processes.

“Organizations who’ve invested in MFA haven’t always made corresponding investments in better identity proofing and affirmation to provide appropriate levels of trust,” Ant Allan, VP analyst at Gartner, said via email.

Too often organizations follow a “check-box compliance mindset,” assuming the mere application of MFA will meet enough of their needs without considering additional configuration best practices or the enrollment and recovery processes, Allan said.

Federal guidance sets levels of assurance

While sophisticated tactics can improve adversaries’ chances of breaching an intended target, even when MFA is enabled, federal authorities continue to push for broad MFA usage.

The Cybersecurity and Infrastructure Security Agency in June kicked off a “More Than a Password” social media campaign to urge MFA adoption, asserting the increased security afforded by MFA makes organizations and individuals 99% less likely to get hacked. 

Likewise, the National Institute of Standards and Technology advises all organizations to use MFA whenever possible. The agency’s “Digital Identity Guidelines” establishes different categories of MFA controls to delineate between various levels of identity assurance:

• Level one includes authenticators bound to a subscriber’s account
• Level two introduces cryptographic techniques
• Level three requires physical keys with cryptographic protocols

Password vulnerabilities can contribute to the weakness of MFA because organizations, in most cases, implement what Allan describes as +1FA wherein they add an additional third-party factor to the password. 

“Shifting to passwordless MFA can mitigate those vulnerabilities, but some kinds of phishing, broadly defined, might still be effective,” he said.

Additional layers of defense

Organizations can and should strengthen MFA by combining its use with policy enforcement, training, email security, location awareness, and identity threat detection and response, according to analysts.

“While MFA is a necessary first step, investment in advanced analytics will provide more flexibility and resilience,” Allan said. This approach can help organizations “maximize justified confidence in claimed identities without putting a burden on the user — adding friction only when risk demands it.”

Organizations should also consider transitioning away from authentication codes transmitted via text message.

“Ideally, organizations will move to authentication apps, which provide a better experience for end users and ensure a closed system for authentication that is not reliant on a third party like [text messaging],” Mellen said. 

Despite cyberattacks that have engulfed many technology companies of late, Mellen and Allan said organizations shouldn’t hesitate to use MFA.

“Locks can be picked, and doors jimmied, but would you leave your house without locking the front door?” Allan said. “MFA is a best practice” that significantly reduces the risk of account takeover.

GitHub will begin the rollout of a long-anticipated security upgrade, which requires all developers who contribute code on GitHub.com to enable two-factor authentication to access the platform before the end of 2023.

GitHub in March will begin notifying small groups of developers and administrators via email in order to allow time for adjustments. After the initial period, GitHub will scale the rollout into larger groups over the course of the year. 

The security upgrade is designed to offer more robust protection for developers who have been frequent targets of malicious cyber campaigns.

“Securing the software supply chain starts with the developer, and our 2FA initiative is part of a platform-wide effort to secure software development by improving account security,” Hirsch Singhal, staff product manager at GitHub, said via email.

GitHub users who are selected for enrollment will get a prompt after 28 days asking them to perform 2FA and confirm second-factor settings. 

GitHub previously announced the 2FA authentication plan for developers in May 2022, about six months after it rolled out enhancements to npm security as a result of npm package takeovers. GitHub made security changes to require maintainers of more than 1 million weekly downloads or more than 500 dependents to enable 2FA. 

As of May 2022, more than 83 million developers were on the platform, according to GitHub. About 20% of active users have enabled 2FA, according to Singhal. Millions of developers are expected to enable 2FA this year. 

Accounts will have a total of 45 days to configure 2FA and users will be notified when their deadline is pending. Users will be able to snooze notifications for up to seven days, however after that they will have only limited access to accounts. 

Users will have multiple options for 2FA, and can simultaneously use an authenticator app (TOTP) as well as an SMS number registered on their accounts. GitHub recommends security keys along with the TOTP app rather than SMS, as SMS has been found to be less secure. 

SMS is no longer recommended as an authentication method under NIST-800-63B guidelines. 

GitHub said is internally testing passkeys, which offer a combination of ease of use with resistance to phishing. 

Rival GitLab does not require 2FA, but is strongly recommended, according to Wayne Haber, director, engineering. Despite the lack of a mandate, users may be prompted to enter an emailed code that GitLab generates based on risk assessment in addition to entering username and password.  

GitLab has more than 30 million registered users.