MFA Fatigue
The Shift to Phishing Resistant Authentication
It’s long been widely known that in the real world passwords alone are not a great way to authenticate users. Some people pick simple passwords that can easily be guessed. Others will re-use their company password for their login to a random quiz website run by a teenager in their spare time. Finally, even in a a well-trained workforce, 5% of users will happily enter provide their password to an attacker when prompted by a well written phishing email.
Time and time again, history has told us it is not realistic to expect users to remember great passwords, that are unique to every site and to be able to forensically examine every login page they are presented with.
This is where Multi-Factor Authentication (MFA) comes in as a critical line of defense. MFA requires users to provide two or more verification factors to gain access to a resource such as an application or online account, making it significantly harder for attackers to breach systems. Despite its importance, the increasing prevalence of MFA has forced criminals to exploit vulnerabilities in less robust MFA methods, highlighting the need for more resilient solutions.
Types of MFA
There are several types of MFA, including:
- SMS-based OTP (One-Time Passwords): A code sent to the user’s phone via SMS.
- Email-based OTP: A code sent to the user’s email.
- Authenticator Apps: Apps like Google Authenticator or Microsoft Authenticator generate a time-based OTP, or hardware equivalents.
- Push Notifications: A notification sent to a user’s device for approval.
- Hardware Tokens: Physical devices that use cryptographic keys on the device combined with physical interaction (such as a touch) or biometric data like facial recognition or fingerprints).
The Threats
Limitations of One-Time-Passcodes
While One-Time Passwords offer improved security over passwords alone, they are not foolproof. OTPs sent via E-Mail or SMS can often be intercepted, with and time-based OTPs can be phished much like passwords, albeit with a time restriction. Attackers have adapted their methods to exploit these vulnerabilities, making it imperative to consider more robust MFA solutions.
Push Notification Spamming: A Growing Threat
Push notifications to an app, such as Microsoft Authenticator, are one of the better MFA mechanisms. However, they are not without their limitations. A recent incident involving the Los Angeles County Department of Public Health highlights one of the vulnerabilities in push notification-based MFA. In this case, attackers inundated an employee with fraudulently generated MFA approval requests. This tactic, known as “push notification spamming,” relies on overwhelming the user until they inadvertently approve a fraudulent request, thus granting the attacker access to the system.
Phishing-Resistant MFA Solutions
To counteract these evolving threats, organisations should consider implementing phishing-resistant MFA solutions, such as:
- PassKeys: A secure and user-friendly method that eliminates the need for passwords and OTPs.
- Hardware Keys (e.g., YubiKey): Physical devices that provide strong authentication by connecting via USB or NFC.
- Windows Hello: A biometric authentication method that uses facial recognition or fingerprint scanning in combination with a TPM chip in your laptop.
All of these methods use public-key cryptography and digital signatures to ensure two things: That the secret key is never sent to the website; and that only requests from the legitimate website are “signed”. Together these ensure that fake websites can never receive legitimate credentials and that event he website operator does not have the secret key necessary to forge the user’s signature to pretend to be them.
Moving Forward
Transitioning to more robust MFA solutions can significantly enhance an organization’s security posture, particularly for high-risk accounts such as those of administrators or company executives. Initiating a proof of concept (POC) with these advanced MFA options can help identify the best fit for your environment.
If your organization needs assistance, our Cloud Security reviews can provide a thorough check-up of your current configuration and help you implement the most effective MFA strategies. Don’t wait for a breach to expose your vulnerabilities—proactively fortify your defences with phishing-resistant MFA.
Read More:
