Historically users have relied only on passwords (single-factor authentication) to authenticate to systems and access their sensitive information. Unfortunately, single-factor authentication has become the leading cause of account compromise leading to data breaches.
Verizon's 2021 Data Breach Investigation Report identified that 61% of all breaches reviewed involved using stolen credentials. Additionally, IBM reported that the average cost of a data breach in 2021 was $4.24 million. Considering these two statistics, it should be clear that both the impact and likelihood of a compromise caused by weak authentication are severe.
All is not lost. According to Google research in 2019, the implementation of Multi-Factor Authentication (MFA) helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. I challenge you to find a security control that has such an impact as MFA at reducing the risk of account compromise.
For this reason, MFA has become a critical component of modern secure identity and access management (IDAM) systems.
On a positive note, the easy access and use of secure MFA have led to a significant uptake and acceptance of MFA within everyday online systems. According to Duo's annual State of the Auth Report, 78% of respondents used MFA in 2021 compared to just 28% in 2017. This significant update is great news for the security industry and the online world.
What is MFA?
MFA identifies a user by validating two or more pieces of "secret" information (or proofs of identity) that only that specific user may know of can provide.
The objective of MFA is to create layers of defense that limit an attacker's ability to access a user's account through the compromise of an identity factor. If one factor is compromised or broken, the attacker still has at least one or more layers to compromise before successfully accessing the victim’s account.
Types of MFA
MFA factors have been grouped into the following four categories.
- Something you know:
- A secret - something only the user is authenticated "should know’.
- For example, a password or a PIN.
- Something you have:
- A possession - something only the user being authenticated should possess.
- For example, a smart card, fob/token, or SIM card (for SMS or voice-based tokens).
- Something you are:
- Something biologically unique to the user being authenticated.
- For example, a fingerprint, iris scan, or facial geometry.
- Adaptive (Risk-based) Authentication:
- Analyzes additional factors by considering context and behavior when authenticating a user.
- For example, where the user is logging in from, when the user is logging in, or the device being used.
- The risk level calculated based on these queries can be used to determine whether a user will be prompted for an additional authentication factor or even be allowed to log in.
By increasing the number of authentication factors that a user must provide to identify themselves to a system, we reduce the likelihood that the compromise of a single factor will lead to unauthorized access to the system by the threat actor.
A Short History of Authentication
200 BC: Watchwords
- Polybius, a Greek historian in ~200 BC, described a "watchword" used as a security device by the armies of the Roman Empire. The watchword was inscribed on a wooden tablet and passed around the army ranks to distinguish between friend and foe.
1960s: Computer Passwords
- Fernando Corbató, an American computer scientist at MIT, is credited with the first use of passwords to secure access to files on a large computer system. The system was the Compatible Time-Sharing System (CTSS).
- According to the Wall Street Journal, Fernando is also noted for being one of the first to acknowledge the password's flaws - There seems to be a major breach each month -- and the public's frustrations, having to remember strings of code for dozens of digital accounts. "Unfortunately, it's become kind of a nightmare," he says.
1980s: Time-based Hardware Tokens
- During the 1980s, attacks on passwords were becoming a risk for large businesses, universities, and government organizations.
- In 1984 Security Dynamics Technologies patented a physical hardware device for generating a time-based authentication factor. These fobs generated a one-time password mitigating the risk of weak password reuse.
1990s: Public Key Infrastructure
- Public-key cryptography, developed in 1973, was kept classified by the UK and US governments until 1997.
- Public key infrastructure (PKI) is a set of technologies and standards that manage keys or digital certificates' creation, storage, and distribution.
- PKI is often bound to certificate authorities, which help validate that specific keys or certificates really belong to one entity or another.
- PKI certificates can be stored on Smart cards for use by users for authentication to various systems.
2000s: Multi-Factor Authentication and CAPTCHA
- Previous decades generally identified multiple authentication factors; however, it wasn't until the 2000s that the concept of combining two or more elements together to more strongly identify a user really became mainstream.
- Also, in the 2000s, CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") technology became widely adopted. CAPTCHA is a challenge-response test used to determine whether the user is human. While not an MFA factor per se, CAPTCHA technologies mitigated many of the issues experienced in web-based authentication systems, specifically password brute-forcing.
- 2010s: Biometrics and Smart Phones
- Technologies existed for biometric authentication before the 2010s. However, it wasn't until smartphone companies started adding biometric scanners to their devices that ubiquitous biometric identification became a reality.
- The proliferation of mobile phones also introduces the broad adoption of SMS-based OPTs as a common MFA factor.
- With the broad adoption of MFA in the 2010s, cybercriminals had to also change their ways. MFA attack techniques such as phishing and Machine–in–the–middle attacks started to become mainstream and effective against certain MFA factors.
- Early 2020s: FIDO2 and Passwordless Authentication:
- The FIDO Alliance is focused on developing authentication standards to help reduce the world's over-reliance on passwords. Wide adoption of the FIDO2 standard (launched in 2016) began in the early 2020s, with Apple, Google, and Samsung all adopting the standard within their devices.
- FIDO2 is a public-key cryptography-based authentication system that offers expanded authentication options, including strong single-factor (passwordless), strong two-factor, and multi-factor authentication.
- FIDO2 is resistant to many of the MFA weaknesses discussed below, specifically phishing and MitM attacks.
No security control is ever 100% effective at stopping an attack. Even though MFA significantly improves security compared to password-based systems, there are instances where (though unlikely) MFA might fail.
Weaknesses in MFA systems are generally caused by one or two (or sometimes both) attack vectors. These are attacking the "something you have" factor (such as a mobile phone or SIM card) or tricking the victim into revealing an MFA factor through social engineering attacks (such as Phishing or MiTM watering holes).
Different MFA factors may have various weaknesses; let's take a quick look at some of the most prevalent weaknesses or vulnerabilities within MFA systems in recent years.
Single Factor Authentication
While not an attack on MFA, I feel it is helpful in quickly listing the various attacks against systems that only implement single-factor (password-based) authentication.
Single-factor authentication systems are inherently vulnerable. Attackers can guess or steal credentials to gain access to sensitive information and IT systems using a variety of techniques, including:
- Brute force attack – using generated password lists or lists of common weak passwords to attempt access to the vulnerable system.
- Credential stuffing – using stolen or leaked credentials from one account to access other accounts (people often use the same username/password combination for many accounts).
- Phishing – using bogus emails or text messages to trick a victim into replying with their credentials or inputting their credentials into a fake website controlled by the attacker.
- Keylogging – installing malware on a computer to capture username/password keystrokes.
- Man-in-the-middle attacks – intercepting communications streams and replaying credentials.
SMS-based MFA weaknesses
As previously mentioned, SMS-based MFA became popular during the 2010s due to the proliferation of mobile phones. Unfortunately, many weaknesses exist in their implementation because a mobile phone number is not truly something you "have" as it is essentially dynamically leased to you by the mobile phone.
2 attack methods against SMS-based MFA systems are:
- SS7 protocol vulnerabilities: through vulnerabilities in the underlying mobile carrier network protocols, attackers could redirect SMS messages from their legitimate destination to attacker-controlled devices.
- SIM swapping attacks: a malicious technique where attackers' social engineers target mobile carriers to redirect victims' phone calls or SMS messages to attacker-controlled devices.
These attack methods allowed the attackers to retrieve victims SMS based one-time-password tokens. The FBI reported that Sim-Swapping attacks in 2021 alone resulted in the loss of more than $68 million.
The US National Institute of Standards and Technology (NIST) has gone as far as to no longer identify SMS as a recommended form of MFA token delivery.
MFA fatigue is a technique attackers use to flood a user's authentication app with push notifications in the hope they will accept and therefore enable an attacker to gain entry to an account or device.
MFA Fatigue is essentially a social engineering attack against a user, where the target attempts to frustrate the user to the point where the user (against their better judgment) accepts the MFA push notification in an attempt to stop the persistent disruption.
This is a relatively easy yet noisy attack technique as it does not rely upon any additional technical skills or technologies to perform. However, it should be very obvious to the user that something out of the ordinary is occurring, which they may (hopefully) report as a security incident to their manager or security team.
This technique was identified in the wild by Mandiant in 2021 during the successful exploitation of many US Government Office 365 accounts by suspected Russian threat actors.
Mobile Phone Malware
A very common MFA factor is mobile application-based soft tokens. Soft tokens are generally installed on a mobile device by syncing a mobile token application with the accessed system. This synchronization creates a "something you have" authentication factor on the user's device.
Unfortunately, mobile devices are not immune to malware which may result in the compromise of the device's soft token.
In 2020, researchers from Threat Fabric identified hackers using the Cerberus Trojan to extract MFA credentials from the Google Authenticator application installed on compromised Android devices. This attack enabled the hackers to compromise/bypass the MFA token used to protect the victims' sensitive accounts.
Machine-in-the-Middle (MitM) attack
Machine-in-the-middle (MITM) attacker, commonly deployed through phishing, creates a malicious clone of the target webpage (such as a login popup) that seems genuine to the victim. The fake webpage will closely imitate the legitimate authentication page that the user expects to see and pass through the user's credentials to the actual website to trigger the MFA prompt. Once the user has actioned the MFA request (such as a soft token, or mobile push notification) the authentication process will have been successful and the attacker would have gained unauthorized access to the user's account.
The MitM attack is highly effective as it does not need to compromise any other system or user credentials. Through a phishing attack, the attacker can trick a user into providing all authentication information to the attacker's malicious cloned webpage, including most types of MFA factors.
Open source tooling exists that allows this form of attack to be easily executed - one such tool is Evilginx2. The Evilginx2 tool implements a MiTM proxy between the victim and the legitimate website. Once a user is tricked (through social engineering or phishing) into browsing the Evilginx2 proxy, the website will appear reasonably accurate to the user (except for the wrong URL). When the user enters their MFA credentials, this information (and the returned authentication cookies) will be captured by the Evilginx2 tool and provided to the attacker.
Tools such as Evilginx2 significantly increase the prevalence of MiTM attacks against MFA systems as they create a very low technical barrier for carrying out such attacks with these automated toolsets.
Mitigating MFA attacks on Enterprise systems
MFA is not the silver bullet in mitigating threats to enterprise systems as described above. There are many additional controls that organizations can put in place to add additional layers of security to their IDAM implementations. These can include:
Implementation of FIDO2-based Authentication systems
FIDO2 is a recent specification created by the FIDO Alliance to address many previously discussed weaknesses in traditional MFA implementations. The FIDO2 specification defines the protocol used by web browsers to interact with external authenticators, such as hardware tokens or device biometric readers. The main objective of FIDO2 is to eliminate the use of passwords over the Internet.
FIDO2 is implemented using public-key cryptography and the Universal 2nd Factor (U2F) standard for strong MFA.
A key benefit of FIDO2 is that it eliminates the risks of phishing, MiTM, password theft, and replay attacks because the FIDO2 credentials are unique across every website, never leave the user's device, and are never stored on a server.
FIDO2 is already widely supported, including in Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari web browsers, as well as Microsoft, Apple, Samsung, and Android platforms.
Most of the major cloud SaaS platforms already support FIDO2-based authentication mechanisms, including Microsoft 365 and Azure, Google Workspaces, and GCP and AWS services.
Single sign-on (SSO) is when systems allow a user to authenticate using an already trusted third party to verify identity. For example, using your Google or Microsoft 365 credentials to authenticate to other web applicants.
The benefits of SSO include:
- reduces the number of credentials a user needs to remember or manage
- Visibility to the organization on where users are authentication.
- may utilize existing strong MFA implementations
SSO combined with the security of MFA gives the organization's security posture and confidence. In addition, the combination of SSO and MFA offers users efficiency and ease as they have fewer credentials to manage.
Effective Privileges Management
As we have seen, an attacker can still compromise or circumvent MFA. For this reason, we still need to implement additional layers of security controls within the systems and network. One of the most effective security controls within a network is implementing the principle of least privilege through effective privilege management.
Privilege management entails giving users only the lowest access levels necessary to perform their daily tasks and granting additional permissions on an as-needed basis. This restricted access helps reduce risks associated with shared accounts, and if one user gets compromised, it prevents access to more highly secured areas.
Mobile Device Management
Mobile device management (MDM) is the administration of mobile devices, such as smartphones and tablet computers, by an organization.
MDM allows an organization to set policies on employee mobile devices, such as lock screen configurations, limit application installations, and control network settings.
Many MDM platforms can also remotely wipe mobile devices if they are lost or compromised.
These controls provided by MDM platforms all assist in controlling and securing mobile application-based soft tokens installed on employee devices. Reducing their likelihood of compromise.
MFA Authentication and Your Enterprise
Short History of MFA
What is MFA?
- First MFA device/technique?
- Introduction of smartcards?
- Introduction of biometric authentication?
- Something you know – Type 1 Authentication (passwords, passphrase, PIN, etc.).
- Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token, a cookie on PC, etc.).
- Something you are – Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry, etc.).
- Somewhere you are – Type 4 Authentication (IP/MAC Address).
- Something you do – Type 5 Authentication (Signature, Pattern unlock).
MFA Weaknesses Exploited by Attackers:
Establish a timeline showing the increasing sophistication of methods attacking MFA (especially nice if we can get an actual timeline graphic)
- No MFA - Password Spraying Dream - see if you can track down early password spraying tools and reference their creation/publication dates
Initial Widespread MFA capabilities
- SMS MFA - Widely knocked as being substantially less secure than other MFA methods, but weaknesses that are exploitable specific to SMS (SS7, SIM-swapping) are mostly the realm of nation-states and a relatively small number of criminal attackers, overall. See if you can find any public examples of SMS-specific bypasses that have been seen in the wild.
- Code-based authentication - subject to MiTM frameworks such as evilnginx2 and Modlinshka sp?
- Pretty sure Evilgnix came first - looks like 2017 is probably the public advent of MiTM frameworks for MFA phishing bypasses
- MFA Request Flood/Fatigue Attacks - when an attacker knows the mechanism to trigger an MFA request and has the other authentication factor (password) they can just trigger the MFA request over and over - eventually users will accept just to stop the requests.
- Browser-in-Browser Attack - why does this pretty much kill all non-FIDO/U2F options for practical purposes?
Post “Phishing-Resistant” MFA
- Phishing Resistant Security Keys and successful bypass techniques
- Limited applicability - This technique was disclosed at OffensiveCon Berlin in 2018
- Limited applicability - This technique for SSH-specific authentication
- Any other techniques you identify as part of cursory research.
How MFA works when your organization uses SSO
SSO and MFA Implications
- “Remember Me?” And why this configuration (1/7/15/30/60/90 days) matters
- One paragraph of IdP v SP in SAML and how you need to configure SP MFA configurations
- How - for many SPs - the ability to configure authentication settings, including enforcement of MFA - is a nascent feature set.