There are some Multi-Factor Authentication security risks that we have witnessed from recent cybersecurity incidents although MFA is a great method of securing systems and data when properly implemented. MFA improves security because access doesn’t rely solely on weak user passwords, and it could have prevented some of the latest breaches, such as the Colonial Pipeline breach that created fuel shortages across the East Coast of the United States. However, when used improperly or as the sole security method, hackers can still gain access to the corporate systems and data.
What is MFA?
MFA is a technology that requires users to verify their identity using multiple authentication methods when logging in or for other transactions. MFA combines two or more credentials from independent categories: What a user knows (such as a password or security question), what the user has (such as their phone, ID care, or a security token), and what the user is (using biometric validation such as fingerprint, face match, or retina scan).
Combining multiple access requirements makes it harder to bypass security. For example, someone may guess your password is your dog’s name and your birth year (bad idea, by the way), or they may have located in another data breach. If they try to hack into your bank account and your bank also requires you to enter a verification code texted to your phone, the hacker’s job is harder.
As mentioned, MFA could have prevented some well-publicized recent breaches. For example, the Colonial Pipeline breach occurred as the result of one breached password. Hackers accessed the system through a VPN (Virtual Private Network) account, which was intended to provide additional security. A simple MFA requirement would likely have prevented this attack. Companies using a VPN connection should require strong authentication with at least two of the authentication factors listed above.
Unfortunately, as companies increase their security requirements, hackers are also adapting their attacks. There have been recent attacks that were able to bypass security systems, including some MFA requirements. For the SolarWinds Orion compromise, for example, attackers stole the single sign-on (SSO) private keys, which allowed them to bypass the MFA checks entirely.
When MFA and SSO portals are combined, there may also be architectural design flaws that keep the protection from working as designed. For example, once a user is initially authenticated, if additional MFA verification is not required when accessing more sensitive systems, this creates a weakness. This weakness could allow a single low-security machine or employee to be compromised once, and then trusted throughout the company’s network. This weakness is further expanded if a company does not grant least-privileged access and allows user access for unnecessary systems.
Multi Factor Authentication Security Risks
There are several approaches hackers use to bypass MFA requirements (such as social engineering, technical attacks, and physical theft), and they often combine multiple methods. Some of the most common, and easily avoidable, multi-factor authentication security risks are described below.
Social media mining is common, such as getting users to play games that reveal personal information on Facebook. Remember what we said about using the dog’s name and your birth year as password? Seemingly innocent posts, games, and pictures provide enough information that, grouped together, provide a wealth of information to hackers. This may be used to help guess your password or answers to security questions, such as the make and model of your first car or your school mascot.
Technical attack examples include malware and Trojans. Cerberus is a Trojan that utilizes Android’s accessibility features such as “enable unknown sources” or “developer options” that allow hackers to enable remote access, escalate user privileges, and install malware on the target systems. Hackers used the Cerberus Trojan to reverse-engineer the Google authentication flow, extract two-factor authentication credentials from mobile apps, and then mimic/bypass the Google Authenticator.
MFA verification solutions using Short Messaging Service (SMS) (text messages) are especially easy for hackers. You’d think a hacker couldn’t defeat this method because you have the phone physically in your hand, but SMS is notoriously easy to break. In fact, the U.S. government has recommended that no MFA solution should include SMS verification tools. The weakness comes because hackers can easily convince the cell provider to transfer your phone to them. Hackers have used this method to steal hundreds of millions of dollars.
Although MFA is a good start, businesses need to do more to secure their systems. Legacy MFA structure relies on a password as the initial security screen. Since the user’s password is typically the least secure step in the system, that weakens the entire security structure. Additional steps such as SMS-confirmation, one-time codes, and so-called “security” questions may slow down a hacker, but it’s often little more than an inconvenience.
Managing Multi-Factor Authentication Security Risks
With all this information about MFA’s weaknesses, does it mean we should scrap MFA completely? Absolutely not. Every layer of security helps, but there are ways to provide additional security. Below we discuss some recommendations for proper MFA use.
Use more secure forms of MFA, such a FIDO, and avoid MFA solutions that rely on SMS. FIDO2 (Fast Identity Online) security keys provide unphishable, standards-based passwordless verification. FIDO combines added security for the company and convenience for the user by relying on a platform key built into the device or an external security key, eliminating the password hassle.
Remember that tricking biometric MFA solutions isn’t that difficult. Fingerprints can be stolen, created in gelatin, and used to bypass scanners. Scanners allow slight variations to account for sweaty fingers or abrasions, for example, which means forgeries don’t have to be all that exact. A Vietnamese security group has created a mask that can trick Apple’s face scan. Biometrics are good, but they shouldn’t be viewed as foolproof.
Combine your MFA with other security methods such as least-privileged access. This process entails giving users only the lowest levels of access necessary to perform their daily tasks, and requires granting additional permissions on an as-needed basis. This restricted access helps reduce risks associated with shared accounts, and if one user gets compromised, it prevents access to more highly secured areas.
Have a plan for lost devices. Anything that a user has, such as a phone or a token, a user can lose. Of course you need to educate users to report lost devices immediately. IT can then expire the current session and require reauthentication for access. The device can be disassociated from the user’s account and therefor the user’s access rights. Finally, in some situations (typically for company-owned devices), the company can remote-wipe corporate from the mobile device.
Regularly reevaluate your MFA procedures because security is a dynamic field. As security procedures evolve, attackers continually change their methods to get around the barriers. Your IT infrastructure may change and create new vulnerabilities. The security environment needs to continually change to keep up with hackers and with your infrastructure changes.
Finally, remember that while MFA makes hacking less likely in some scenarios, it doesn’t mean it’s unhackable. Make sure all your MFA admins understand the potential vulnerabilities, and that they’re familiar with ways MFA solutions are hacked or bypassed. This knowledge helps your company understand the types of threats to your MFA solution, how to recognize weakness, and how to report any potential attacks.