Multifactor authentication is not all it’s cracked up to be
The recent spate of phishing attacks against identity-based authentication shows the extent to which MFA defenses can crumble, even under unsophisticated tactics.
Cybersecurity professionals and authorities resoundingly agree MFA in any form is better than single-factor authentication, such as a username and password combo, but its strength resides on many variables, most of which are unattended to or unmet.
Configurations that depend on email, text messages or unmanaged devices that might contain malware create weaker methods of authentication.
“As we have seen, cyber predators have found MFA workarounds,” said Ron Westfall, senior analyst and research director at Futurum Research. Too many organizations limit their use of MFA with these methods when stronger MFA controls can be achieved with cryptographic techniques, authentication apps and physical keys, he said.
MFA isn’t a panacea for cyber woes — just ask some purveyors of MFA services that have been targeted and beaten at their own game.
“MFA has been universally accepted as a secure design inclusion, and even before these types of attacks became common, the idea that MFA will solve authentication security forever without introducing other unknown risks is an illogical one,” Casey Ellis, founder and CTO at Bugcrowd, said via email.
Twilio’s widely-used two-factor authentication service was compromised in August after multiple employees were duped into providing their credentials to threat actors.
The attack, part of a larger campaign that compromised at least 10,000 user credentials, spread to 163 Twilio customers, including Okta and Signal, and traveled downstream to many of their respective users’ credentials.
MFA wasn’t enough to stop attacks against Cisco or Uber, either.
MFA in its assorted schemes
The most broadly adopted systems of MFA rely on human behavior, which opens organizations to multiple paths for attack.
Text messages, email, and one-time passwords are susceptible to adversary-in-the-middle attacks that allow threat actors to bypass MFA.
“Many organizations and users rely on phone numbers as digital identity devices for which they are not purpose-designed,” Westfall said.
“In the event of a stolen or compromised smartphone or device, an attacker can transfer the phone number and key data to themselves or a collaborator to receive the authentication requests — an avoid at all costs scenario,” Westfall said.
Email- and text-based MFA should only be used when no alternatives are available, Jason Rebholz, CISO at Corvus Insurance, said via email.
“Not all forms of MFA are created equal,” Rebholz said. “The reality is that most MFA implementations do rely on human behavior and decision making. Hackers exploit this with new techniques like MFA prompt bombing, which aims to annoy the user into clicking ‘approve’ to make the prompts stop.”
Factors that increase MFA vulnerabilities
Human involvement, the first and foremost factor that imposes additional vulnerabilities on MFA, is often unavoidable.
“It can be argued in today’s threat landscape that while having any form of MFA is better than no MFA, text message and email-based MFA is considered broken,” Daniel Thanos, VP of Arctic Wolf Labs, said via email.
“These methods of MFA are vulnerable to exploitation of human behavior. And while they do make it more difficult for a threat actor to compromise an account, they can be bypassed via MFA fatigue and SIM-swapping techniques,” Thanos said.
It’s not so much that MFA is too reliant on human behavior, but rather that most forms of authentication inherently involve a human.
“Without the human, MFA wouldn’t have context to exist in the first place,” Ellis said.
Ultimately, MFA is only as strong as the weakest link in the supply chain and the resilience of each individual using it.
For example, “it would be somewhat pointless to use email-based MFA if your email itself does not have MFA,” Sounil Yu, CISO and head of research at JupiterOne, said via email.
MFA creates one barrier in the way of threat actors, but organizations that overburden this layer of defense can and will be reminded of its shortcomings the hard way.
“Every security innovation is eventually bypassed. MFA ups the game for attackers and makes it harder, but security is never done,” said Peter Firstbrook, research VP at Gartner. “We have to assume failure and prepare for these types of bypasses, rather than keep searching for the perfect authentication method.”