By Ori Arbel, CTO, CYREBRO
Multi-factor authentication (MFA) has become the authentication standard for nearly all types of businesses – from banks to bicycle rentals and everything in between. Yet, like so many security schemes, the more prevalent MFA becomes, the potentially less secure it also becomes. Today, MFA is increasingly under attack, begging the question: Has MFA had its day? Is it time to adopt a more secure login scheme or is MFA still viable?
2FA and MFA: A Brief History
The predecessor of MFA, two-factor authentication (2FA), has been around – believe it or not – since 1986, when RSA introduced its first password-generating key fob. Throughout the 1990s, it found mostly niche use. Even in the first decade or so of the new millennium, only a limited number of security-conscious organizations used 2FA schemes – usually based on RSA public-key cryptography that used two separate authentication tokens to validate user logins. Although the systems themselves were fairly reliable and secure, users found the solution burdensome and annoying. Password-generating tokens were frequently lost – forcing users to call a help desk to have IT circumvent the security system, which negatively impacted productivity. To top it off, token-based systems were expensive to purchase and operate.
Only once smartphones went mainstream did 2FA/MFA start taking off. Suddenly, nearly everyone had a surrogate token system (a smartphone) in their pocket or purse. Users could easily receive authentication codes via SMS or email, making MFA far more palatable. Then, as hacks and breaches started to not only affect millions but also grab headlines, MFA slowly moved mainstream – bringing us to the point where today it’s so mainstream that it’s squarely in the crosshairs of high-powered threat actors.
What is MFA Fatigue?
Like any security paradigm, MFA is not foolproof. Threat actors can get around MFA authentication using stolen credentials, smartphone spoofing, stealing authenticated session cookies after user logins, and – most notably – via social engineering techniques.
One of the most common types of social engineering MFA attacks is the MFA fatigue attack. The incidences of these attacks are on a precipitous rise, as users continue to fall victim to fake login approval requests.
When leveraging MFA fatigue, threat actors first gain access to user credentials – obtained via phishing or frequently the Dark Web. Then they attempt to login, bombarding users with MFA push notifications to trick them into authenticating the login attempts. According to research by Microsoft, 1% of users will accept an approval request like this on the first try. Others will respond simply to get rid of the annoyance of multiple authentication requests in a short time via SMS or email. To bolster these attempts, more sophisticated attackers impersonate a help desk email account, asking the victim to accept the MFA prompt just sent to his or her device.
Whatever the exact methodology, MFA fatigue attacks illustrate a serious weakness in the widely adopted MFA paradigm. The question is: is it a fatal weakness?
Five Tips to Counter MFA Fatigue Attacks
There are, in fact, numerous ways companies are attempting to counter MFA fatigue attacks. Here are five ideas to consider implementing at your organization:
- Strengthen employee education – Like with many social engineering-based attacks, educating users to recognize spoof login attempts is an excellent first line of defense.
- Tighten authentication regimes – Make sure your authentication regime takes into account all known user identity parameters. For example, is the user attempting to log in actually on vacation? Is the ostensible login happening in the middle of the night in their time zone?
- Adopt double authentication – Consider requiring users to first log into a VPN using MFA, then again use MFA to get into the application or resource they require. Alternatively, you can adopt a single sign on (SSO) solution.
- Add number matching to authentication requests – Rather than just confirming a login attempt, require users to type in a two-digit code from the login screen to authenticate. A threat actor that didn’t initiate the sign in won’t know the two-digit code.
- Add additional context to push notifications – To ensure users understand the origin of a sign-in and lower the chances of accidental approval, add context to push authentication requests. For example, the user’s sign in location based on their IP would need to match where they are based. Context can also be added according to their responsibilities and the app they are trying to access (e.g. denying access to an HR employee trying to use a Finance app).
MFA: Not Dead Yet
MFA is still alive and kicking, but it’s not a silver bullet. By implementing some or all of the additional MFA layers of security listed above, companies can extend the lifespan of their MFA security schemes – and the ROI of the systems supporting them.
However, forward looking security professionals already have their eyes on the next generation of authentication technology. More secure than MFA, passwordless security enables users to seamlessly log into systems or services without entering a password or knowledge-based secret.
Usually built on the FIDO2 standard, which defines a set of specifications such as Web Authentication (WebAuthn), Client-to-Authenticator Protocol, passwordless already has several implementations, including Windows Hello (that uses biometrics) and Microsoft Authenticator (an application).
That said, MFA will be with us for the foreseeable future. MFA has had its day…but that day is not quite over yet.
About the Author
Ori is CYREBRO’s CTO, coming from a strong technical cybersecurity background, specifically with years’ operating and managing global monitoring and investigation teams. He brings in-depth working knowledge with cutting edge cybersecurity platforms and innovative technologies. Ori can be reached online at LinkedIn and at CYREBRO’s website http://www.cyrebro.io.