Headline
How to Prevent 2 Common Attacks on MFA
MFA isn’t immune from the tug of war between attackers and defenders.
It’s a well-known and statistically proven fact that password-only credentials pose the highest cyber-risk to people and organizations. Passwords are easily compromised through a wide variety of attacks, such as social engineering and phishing, and often packaged and sold online.
With the widespread adoption of remote work both during and post-pandemic, the need for tighter security created an inflection point for organizations to finally adopt multifactor authentication (MFA) solutions. MFA has been around for decades, and there are abundant options in the marketplace suitable for every industry and organization. But while MFA is inherently more secure than password-only credentials, not all MFA solutions are created equal, and each must be properly configured and managed to prevent attackers from circumventing them.
The premise of MFA is that by requiring “multiple factors” for authentication — a combination of something you know, something you have, something you are and something you do — it makes the job of an attacker with, say, just a stolen password much harder. Unfortunately, when MFA is based on two weaker factors — such as a password (something you know and can easily remember) and a mobile push notification (delivered to something you have, like a mobile authenticator app) — it can still be compromised. For example, a bad actor might use a dictionary attack to obtain a password and then, upon encountering a verification step using MFA, employ push notification phishing to bombard and trick the user into approving the repeated requests. This technique is commonly referred to as MFA fatigue and was recently used by a teenager to perpetrate a successful attack on Uber.
Phishing-Resistant MFA
The good news is that there are phishing-resistant MFA solutions based on standards by the Fast Identity Online (FIDO 2.0) suite of specifications, which includes support for passwordless authentication. In addition, there are hardware-based options such as smart card standards and specifications based on the efforts of the Secure Technology Alliance.
Many MFA solutions employ biometrics for a “something you are” authentication factor. The beauty of biometrics is that they possess these fundamental characteristics, which are:
Universal: Every person using a system or application can be expected to possess the feature (e.g., face, finger, voice)
Unique: Every person has unique, different, and distinguishable aspects of the feature (e.g., facial features, fingerprint ridges and valleys, voice tone and intonation)
Permanent: The feature is reasonably stable, permanent, and invariable over time to perform matching
Collectable: The feature set can be acquired, measured, and processed with ease during capture
Defendable: The feature can be defended from abuse, misuse, theft, imitation, and substitution
Performant: The feature, when combined with matching and liveness detection, performs with accuracy, speed, scale, and ease of use
Adoptable: The population expected to use their personal features are willing adopters and enrollers
The Deepfake Problem
Leaving aside the criticisms of biometrics (over bias, collection, misuse, privacy, and surveillance), threat actors are now using presentation attack types such as deepfakes and spoofing to get around them. While it might sound like something right out of a movie script, in recent years financial institutions and banks have experienced unprecedented fraud during new account creation, loan applications, payments, and transaction disputes. These and other highly regulated industries are legally required to perform identity proofing and verification processes referred to as “electronic know your customer” (eKYC). Unfortunately, not only do many legitimate applicants fail to complete the proofing and verification process due to its complexity, but bad actors have been impersonating real people and using synthetic data seek to “mask” their identities in fake documents and during biometric enrollment.
Fortunately, deepfakes and spoofing can be thwarted through techniques (such as passive liveness detection) that are undetectable by bad actors. There are several third-party-testing and -certifying labs that not only validate vendor solutions but will also validate the implementation of the solution to ensure it is deployed effectively. And just last month, the third edition of the “Handbook of Biometric Anti-Spoofing” was released, which has been updated with broader coverage of presentation attack detection (PAD) methods for a range of biometric modalities, including face, fingerprint, iris, voice, vein, and signature recognition.
There is no question that MFA provides organizations with a significant upgrade in protection over passwords. Like most cybersecurity technologies, however, MFA isn’t immune from the continual tug of war between attackers and defenders. Organizations need to think carefully about which solution they choose and how it’s implemented, to avoid falling victim to the latest threats.