Facts and Fallacies of Multi Factor Authentication
Adam Shebani – 09/10/2022
Multi-Factor Authentication (MFA) has been widely adopted over the years as a means to enhance the security of authentication processes for all sorts of systems. It has somewhat become a must-have security control in order for organisations to claim that their systems have a withstanding security posture. This is especially true for organisations willing to be compliant with information security specifications, such as ISO 27001 and Cyber Essentials.
However, it has been demonstrated time and again that even when MFA is put in place, it can be circumvented. The recent attack on Uber is a rather convincing example of this. The attack itself is not the topic of this post, but it serves as an incentive to remind ourselves that an authentication process that mandates MFA from its’ users is not impenetrable.
In this blog post, we will be comparing the most common and prominent MFA methods with a focus on their usage within organisations’ internal infrastructure, as that is where the impact can be menacing.
Authentication has been a challenge since the dawn of the internet; a challenge that is in dire need of a reasonable solution for obvious reasons. When dealing with such challenges, it is important for us to find a solution with a realistic approach. This involves assessing the weaknesses of the candidate solutions, as well as their strengths. There are several avenues that malicious actors could take to potentially compromise user passwords (social engineering, brute force attacks, etc.). MFA originally seeked to provide an extra layer of protection in the event that a user’s username/email/password combination was known to an attacker.
Prequel and Context
Before delving into the comparison, it is worth mentioning a few important points:
- It is better to have any form of MFA, than no MFA at all. The premise of MFA is that a malicious actor will find it more difficult (to varying extents) to supply multiple required authentication factors in order to impersonate a user.
- Healthy management of MFA is just as important as it’s deployment (if not more). Continuous monitoring of authentication attempts, both successful and unsuccessful, can be the reason why certain attacks by an adversary are prevented or at least mitigated.
- Blocking access to accounts when multiple unsuccessful authentication requests are issued can also be an effective measure against adversaries.
- Sometimes business requirements necessitate the need for the ability to bypass MFA in certain scenarios (e.g. when a user’s MFA device is lost). It is of the utmost importance to pay very close attention to how such instances are handled. If for example the verification process of whoever is requesting to bypass MFA is weak, then the MFA is rendered useless.
- In order to fully reap the rewards of MFA, users of MFA-enabled systems need to be aware of the potential threats associated with being the users of said systems, as well as how to handle such threats when encountered. This is because they will be the targets that malicious actors will attempt to compromise, as we will see later in this post.
- Needless to say, security is not solvable by one ‘trick’. It is unwise to rely on one (or few) technical controls and expect to stand a chance against threats. Things are much more complicated than that. MFA is only one of several steps in the right direction.
Phone Call / SMS Based
These are probably the most common forms of MFA today, whereby users are prompted to input a private code that is communicated to their registered SIM number via phone call or SMS message. This comes with the advantage that users are more than likely already carrying their mobile phones with them, so there is no need for any extra equipment to be distributed. Similarly, no extra software on users’ devices needs to be installed. The setup process is extremely easy for most people and is used as standard by companies such as Google.
There are however some usability inconveniences that accompany these particular MFA methods. Poor mobile signal coverage, dead batteries, faulty/broken phones can get in the away of legitimate needs to authenticate to services.
From a security-focused perspective, this MFA method is susceptible to a number of attacks. Social engineering is usually the go-to for attackers to acquire authentication codes from victims. A prevalent theme is contacting victims directly whilst impersonating IT personnel to request these codes to fix some sort of ‘error’.
Another common example is a more traditional phishing attack using a spoofed website built to capture MFA codes. For larger campaigns, this approach is often more than sufficient to acquire a victim’s credentials along with any MFA codes/PINs given that phishing attacks are easily scalable and can target large quantities of users without too much extra effort by the attackers.
Other attack vectors include SIM cloning and SIM swapping. They both aim to duplicate a victim’s SIM card, but they achieve this using distinct methods. SIM cloning requires gaining physical access to the victim’s phone, whereas SIM swapping involves convincing representatives of a mobile phone service provider to transfer a phone number to a different device. These are less common but nevertheless valid threats to consider.
Microsoft posted earlier this year about a “large-scale social engineering and extortion campaign” led by a group known as DEV-0537 (also known as LAPSUS$) which their security teams had investigated. The report mentions that “Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organisations; paying employees, suppliers, or business partners of target organisations for access to credentials and multi factor authentication approval; and intruding in the ongoing crisis-communication calls of their targets.”.
Push Notifications are communication methods used throughout organisations for different purposes whereby servers send “push” messages to their clients to inform them of an event. In the context of MFA, the server would be some authentication portal whereas the client is (commonly but not necessarily) an application on a user’s mobile phone. Upon logging in to the portal with valid credentials, the server would emit a request for approval of the login as a form of MFA. The request is either approved or denied by the user.
Similar to the previously mentioned MFA method, this benefits from not requiring extra equipment. There may be a need to install an application depending on the services and devices used. To setup, all the user would need to do is simply sign-in to the relevant service with their trusted mobile device.
At first glance, this form of MFA seems convenient usability-wise, but it is in fact it’s convenience that makes users that depend on it susceptible to being compromised. An attacker who has gotten a hold of some target’s login credentials can execute what is known as MFA prompt bombing (or MFA fatigue). This involves repeatedly requesting for the login approval from the target to a point where the target is pressured to just hit the ‘Approve’ button in an attempt to stop the notifications. The actor who successfully compromised Uber last month leveraged this and coupled it with some social-engineering to get a foothold on Uber’s internal infrastructure. Defending against prompt bombing can be done effectively if some form of rate limiting to authentication requests is configured correctly.
There is also the risk of approving the request accidentally out of default reactions or fat-fingering if all it takes is a press of a button. This risk can be mitigated if the approval process requires local authentication on the user’s device (secret PIN, biometrics, etc.).
Authentication Code Applications
Authentication apps (e.g. Google Authenticator) are another smartphone-based MFA method. Post-setup, these applications generate Time-based One-Time Passwords or HMAC-based One-Time Passwords to confirm authentication.
This is probably the best MFA method that relies on mobile phones when it comes to security. Again, as with the aforementioned MFA methods, social engineering is still an attack vector. Physical access to the user’s phone can also lead to compromise, but this is an expected risk of almost all MFA solutions. Most authentication apps provide a means to transfer all the MFA profiles registered in the app by scanning a QR code with another phone. This can be mitigated if the authentication app requires local authentication by the user, such as biometrics / PIN entry.
All of the above are mobile phone based MFA methods. In today’s day and age ‘mobile phone’ usually means ‘smart phone’ with the never-ending expansion of the internet. Organisations need to be aware that smart phones have their vulnerabilities too, especially those with a BYOD policy that would facilitate a wide variety of targets for attackers to choose from. It should be noted that bypassing mobile phone based MFA methods becomes trivial if such vulnerabilities that allow full control of a smart phone are exploited.
MFA’s strength lies with the variation of the authentication factor types, not just their multitude. Authentication factors are classified as either something you know (e.g. password), something you have (e.g. mobile phone), or something you are (e.g. biometrics). Securing access to a user’s email is heavily dependent on the user’s choice of passwords, which not only don’t have the best track record, but also is the same type of authentication factor as your typical first authentication factor.
Of course, the email accounts themselves could be MFA-enabled, but that would complicate things for the user if they are required to sign-in frequently. Also bare in mind that many people use email clients on their phones, which puts disadvantages of mobile phone based MFA on the table. Social engineering still hasn’t left the room (we’re seeing a common theme here, aren’t we?).
Physical Security Keys
Unlike the previously mentioned forms of MFA, this one doesn’t involve a mobile phone. Physical security keys can come in the form of USB devices, smart cards, and wireless tokens. They offer an alternative approach to having to rely on smart phones for MFA. This is a broad area in MFA, so we will only be covering security keys compliant with the FIDO2 specifications. A brief explanation of how it works can be found on the FIDO Alliance’s website. Physical security keys can even be used for password-less authentication on it’s own instead of standing as a form of MFA.
FIDO2-compliant authentication stands out from other MFA methods when it comes to security. This form of authentication leverages public-key cryptography to authenticate; which in and of itself holds several advantages. First off, it is infeasible for an attacker to guess users’ private keys given that they’re not bound to people’s ability to memorise. In addition, with the private key being required to authenticate and it not being transmitted to the server during the authentication process, a malicious eavesdropper cannot derive the authentication factors needed to authenticate. Also, in a scenario where an attacker compromises the database of the authentication server, they are only able to get their hands on public keys which are essentially useless to them.
Furthermore, the FIDO2 specifications incorporate the WebAuthn standard; this is the standard that makes use of public-key cryptography to authenticate securely to websites and is supported by major web browsers including Chrome, Firefox, Edge, and Safari. One very useful thing about WebAuthn is that the usage of each public/private key-pair is bound to a certain domain, named a Relying Party Identifier. Basically this means that phishing attempts with a spoofed website won’t work here, because in most cases spoofed websites are hosted on separate domains than their legitimate counterparts.
On the other hand, there are management challenges with using physical security keys for MFA, especially for large organisations. Just like with mobile phones, physical security keys can be stolen/lost. Something to consider is how to deliver the keys in a timely fashion. Some time-critical operations can’t afford to wait on a security key being delivered to an employee living 5 time-zones away. Should multiple security keys be supplied for redundancy (at a price)?
Another thing worth mentioning is that this type of MFA is not as widely adopted by software vendors as other forms, which might cause headaches for some organisations. It could be the case that multiple MFA methods need to be used for different systems. As much as we wished for physical security keys to be THE solution, there are quite a few trade-offs to put into account.
Truth be told, MFA is undoubtedly an indispensable element to organisations willing to secure their assets. As we’ve seen, embracing MFA comes with it’s challenges and trade-offs for managers, IT personnel, and employees; most notably when it comes to security. It is, therefore, crucial to understand the risks at hand, and to act accordingly. Awareness of social engineering in particular should be a priority within organisations. We stress again that MFA is not a golden nugget and should be used in conjunction with additional tooling to enforce a full ‘defence in depth’ approach to cyber security.
If you are interested in the topic of MFA, or are looking to implement this into your organisation, our Security Consultancy services can help you achieve this.
A Cyber Security Partner You Can Trust
Ruptura InfoSecurity are a UK based cyber security provider. Our services are provided entirely in-house and are fully accredited by industry standard qualifications and standards.
Request a Quote
If your organisation requires our services, please get in contact using the form below:
© Ruptura InfoSecurity Ltd – 2023. All Rights Reserved. Company Number: 11644559.