Amplifying the effectiveness of Multi-Factor Authentication
In the early days of computing, authentication was simple, but the approach grew in sophistication over time. For example, modern password-based authentication systems like Kerberos don’t actually transmit passwords anymore; they generate an authentication token that is submitted instead.
But even with these enhancements, a username-and-password based approach to authentication still has a key weakness: if someone learns another user’s password, they are indistinguishable from the true user. And although Bill Gates predicted the death of the password nearly 20 years ago, they remain the default method of authentication for a range of services at work and home.
Back in December 2022, PayPal warned its customers of an unauthorized third-party access to several accounts potentially resulting in personal information leaks. The incident immediately called into question PayPal’s basic security provisions and questions like why Multi-Factor Authentication (MFA) was not enforced by default for such a sensitive service as PayPal arose.
In such events, the primary cause is a prevailing issue where account holders are using the same ID/password combinations for multiple sites and applications. According to the recent One Identity survey, 84 percent of respondents said they had a favorite password. Such password spraying simplifying threat actors’ access to a sensitive information, especially if it is not protected with an additional layer of authentication. Microsoft’s VP of Identity Security Alex Weinert in his keynote at The Experts Conference (TEC) 2022 highlighted that password spraying attacks increased from 350K in 2018 to over 5 million in 2022. He also noted that that the probability of compromise increases over 20-times with no MFA enabled.
Thus, MFA is becoming a crucial component of cybersecurity strategy, benefiting both organizations and their users by addressing key weaknesses of username-and-password authentication.
With companies like Microsoft tweaking their own recommendations for MFA identifications and soon enabling a new authentication methodology, called number matching, the implementation of MFA for at-risk users is becoming crucial and highly advised by industry leaders.
Using number matching
According to the US’s Cybersecurity and Infrastructure Security Agency (CISA), number matching is the best interim mitigation for organizations who may not immediately be able to implement phishing-resistant MFA. Number matching requires users to match an auto-generated number in the sign-in screen with the number in their Authenticator app. In a guide, CISA advises on using number matching-based, multi-factor authentication as an additional protection to the cloud applications. Several vendors are already including number matching in their MFA implementations, and while Microsoft is not mandating number-based multi-factor at this time, they will begin to roll out the mandate on February 27, 2023.
In addition to number matching MFA, administrators are advised to periodically review the audit logs and failed multifactor authentications, as well as encourage staff to report any unusual, specific in the timing of when the events occur, MFA prompts, for the forensic staff to review.
However, it is always important to keep in mind MFA fatigue as well as other attack vectors such as phishing and follow CISA’s recommendations on implementing phishing-resistant MFA for better security protection.
Phishing-resistant MFA implementations
There are multiple variations of multifactor authentication, but almost all of them share a weakness: human interaction is required. And where human interaction is required, phishing can occur.
A common response and answer to the most problematic forms of MFA is phishing-resistant MFA -- CISA’s gold cybersecurity standard, that removes human-factor from equation.
The most widely available phishing-resistant authentication is FIDO/WebAuthn authentication, supported by major browsers, operating systems, and smart phones. With phishing-resistant authentication, passwords are replaced via strong cryptography tied to an external authenticator such as a USB security key, a device in the user’s possession or credential management APIs. Based on public key cryptography, phishing-resistant MFA eliminates the use of shared codes, reducing the ability of attackers to intercept access codes and replay them.
Of course, there is cost and budget to consider when choosing this methodology, as implementation of tokens does take time, and it is recommended to have more than one token as a backup. Physical tokens also demand that the user remembers to hold onto them, whereas for many of us, a phone is a more natural item to keep. Companies are advised to think about devices that help users keep tokens handy and make it easier for them to have them on hand when the need arises.
Spoof Proof
But on the positive side, phishing-resistant MFA implementation ensures that multifactor can’t be spoofed. When implementing phishing-resistant MFA, companies need to investigate whether the applications they wish to protect will support these enhanced multifactor implementations. Some will not support these additional tokens and instead will only rely on application tokens instead.
There may also be a learning curve and implementation time, which could lead to using an application-based multi-factor as a temporary measure to ensure that protection is in place and then later on deploy the token-based approach for additional protection.
There’s no question that multifactor authentication benefits organizations and users by dramatically strengthening security. But requiring multifactor authentication for everyone all the time is pretty much guaranteed to frustrate users and hurt productivity. It’s important to take a balanced approach.
MFA is best understood as one aspect of your organization’s broader security strategy. Many experts now recommend developing a security strategy based on Zero Trust principles and using tools like Azure AD Conditional Access, which gives you a lot of flexibility to apply MFA judiciously.
With cyberattack numbers continuing to soar and a report finding that 20 percent of firms say a cyberattack threatened their solvency, implementation of MFA is a vital step in protecting the business and company’ reputation against cyberthreats. While not a panacea for all cyber vulnerabilities, it is a necessary one in threat mitigation.
Image credit: Jirsak / depositphotos
Alistair Holmes is Principal Solutions Architect, Quest Software