Multi-Factor Authentication

Multi-Factor Authentication and Its Role In Creating a Resilient Security Posture

Christopher Eaton | May 9th, 2024

 

Within the barrage of headlines, stories, and lived experiences regarding identity theft and cyberattacks, there are often key themes worth exploring. For instance, the recent admission by the CEO of UnitedHealth Group, as reported in a CBS News story, that the recent cyberattack against the massive insurer can be blamed on that fact that the entry point “…server did not have MFA (multi-factor authentication) on it1.”

Other instances where the attacks against MGM and Caesars Entertainment, Inc., which were perpetrated in part because the threat actors “overwhelm targets using multi-factor authentication notification fatigue tactics2.” Consider this headline3 generated from the State of Authentication in the Finance Industry4 report (2022): “Authentication weakness responsible for 80% of financial breaches.”

These examples all indicate that MFA is an important tool for maintaining cyber security and organizational resilience, making it worth a deeper examination.

What is MFA and how does it work?

MFA is a security system connected to specific and oftentimes individual user accounts that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login transaction completion. The main principle behind MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target device, account, or organizational network.

MFA works by requiring two or more of the following authentication methods:

Something You Know (password, a personal identification number (PIN), or answers to personal questions)

  1. Something You Have (a smartphone with an app providing time-limited, one-time passwords (OTP), a security token, or a smart card)
  2. Something You Are (biometrics like fingerprints, retina scans, or voice recognition)

 

For authentication to succeed, all submissions must be correct. This security process is favored over standard username + password authentication, as the limited strength of this legacy process is easily bypassed. The added layers provided by MFA offer more robust security.

The relative ease of deploying MFA makes it a recommended component of any user account, particularly for email tenants or cloud-based applications. The only requirements are SMS text-based systems and an authenticator application, with minimal hardware and software changes.

However, more complex MFA solutions, such as biometric systems or smart card-based systems for physical access to a space, can require considerable hardware and software changes, including biometric scanners or card readers and the necessary software to authenticate the results. If what is behind the door or what can be accessed through an application is worth safeguarding, MFA is worth installing.

Considering MFA: weighing its benefits and challenges

MFA provides a significant level of security by adding checkpoints that are difficult for unauthorized individuals to detour. Even if a threat actor can crack one authentication factor, it is unlikely they can bypass the second or third. This defensive resource is particularly effective against common attacks like phishing, where an attacker might obtain a user’s password but can’t readily replicate a fingerprint or get the OTP from the user’s phone. Without question, MFA is useful and essential for robust and resilient security.

However, it’s important to note that while MFA significantly increases security, it’s not infallible. For example, if a user loses a device that generates OTPs or drops the card, an attacker could gain access to it. Furthermore, biometric systems can sometimes be fooled by high-quality forgeries. MFA systems must be implemented and managed correctly to maintain their security.

For instance, if a system allows certain users to bypass MFA or if administrators do not regularly review and update security settings, the effectiveness of MFA can be undermined. Notwithstanding these potential vulnerabilities, MFA remains one of the most effective methods for securing user identities and protecting resources from unauthorized access.

Despite a widely circulated statistic that 99.9% of user account compromise attacks can be prevented with MFA (Microsoft5, CISA6) the reality of the threat landscape indicates it is not so simple or impenetrable. While this important tool should be an aspect of any security stack for both businesses and individuals, there are numerous challenges associated with MFA that threat actors leverage to bypass its safeguards.

How threat actors overcome MFA controls

In order to repel threat actors, it is first essential to learn how they operate and what you can do to better protect your accounts.

One component of MFA weakness fits within the realm of ‘human error’ and is termed MFA fatigue7. While secure, MFA may not always be user-friendly. For many individuals, it is inconvenient to go through multiple stages of authentication, especially if the process is time-consuming, complex, or exhaustively persistent. This might lead to frustration and can be particularly challenging when dealing with less tech-savvy users. Unfortunately, frustration often leads to less-than-ideal security-related practices, increasing the likelihood of a calamitous error.

Another potential for exploitation is through SIM Swapping. For instance, SMS-based MFA can be vulnerable to SIM swapping attacks. In this scenario, an attacker tricks a mobile network provider into transferring the victim’s phone number to a new SIM card, which the attacker controls.

Another tactic increasing in usage among threat groups is the theft of session cookies8, which are digital tokens that store data temporarily within a transaction until the web browser session is closed. This process9,which shares similarities with phishing and business email compromise (BEC) attack kits, requires threat actors to establish a fake landing and login page mimicking the real thing, tricking users into providing OTPs. Throughout this process, the malicious actors can enter login, password, and OTP information into the legitimate sites in real-time. The “kits” are essentially build-your-own development guides and pre-written codes so anyone willing to pay for the information can perform such attacks.

Additional reports indicate threat actors are sometimes able to deactivate the need for MFA by accessing administrative accounts, most likely via phishing or social engineering attacks. The point here is that threat actors have and continue to develop numerous techniques to bypass MFA, which can be expected to continue with increased, wider adoption of the technology.

Moving forward with MFA 

According to Proofpoint’s 2024 State of the Phish Report, “over one million attacks are launched with the MFA-bypass framework EvilProxy every month” indicating there is a profound need for an effective defense against these threats10. As a further sign that MFA is a strong component of a resilient security stack, Microsoft is requiring the process for select tenants11.

To better ensure MFA works as it should and bypass attacks are limited, organizations must incorporate user training and awareness into onboarding and ongoing development. For MFA to be effective, users need to understand why it is necessary and how to use it. This can require substantial training and awareness-building, which could be challenging and time-consuming but ultimately prevents an organization from being victimized.

No single tool or software is a panacea for all cyberattacks; however, MFA, when properly deployed and configured and paired with discerning, well-trained individuals, can go a long way in safeguarding accounts connected to critical, sensitive information.

If you’re interested in our services, fill out this form to get in touch with our team: Contact Our Team

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.

Sources

  1. Brooks, Khristopher. UnitedHealth Data Breach Caused by Lack of Multifactor Authentication, CEO Says – CBS News. 1 May 2024, https://www.cbsnews.com/news/unitedhealth-senate-hearing-cyberattack-change-healthcare/.
  2. Bracken, Becky. “Scattered Spider” Behind MGM Cyberattack, Targets Casinos. https://www.darkreading.com/cyberattacks-data-breaches/-scattered-spider-mgm-cyberattack-casinos.
  3. Hoffman, Karen. “Authentication Weakness Responsible for 80% of Financial Breaches.” SC Media, 20 July 2022, https://www.scmagazine.com/analysis/authentication-weakness-responsible-for-80-of-financial-breaches.
  4. State of Authentication in the Finance Industry 2022 | HYPR. https://get.hypr.com/state-of-authentication-in-the-finance-industry-2022. Accessed 12 July 2024.
  5. Maynes, Melanie. “One Simple Action You Can Take to Prevent 99.9 Percent of Attacks on Your Accounts.” Microsoft Security Blog, 20 Aug. 2019, https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/.
  6. More than a Password | CISA. https://www.cisa.gov/MFA.
  7. “MFA Fatigue Attacks Are Putting Your Organization at Risk.” BleepingComputer, https://www.bleepingcomputer.com/news/security/mfa-fatigue-attacks-are-putting-your-organization-at-risk/.
  8. Abrams, Lawrence. “Clever Phishing Method Bypasses MFA Using Microsoft WebView2 Apps.” BleepingComputer, https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypasses-mfa-using-microsoft-webview2-apps/.
  9. Ilascu, Ionut. “W3LL Phishing Kit Hijacks Thousands of Microsoft 365 Accounts, Bypasses MFA.” BleepingComputer, https://www.bleepingcomputer.com/news/security/w3ll-phishing-kit-hijacks-thousands-of-microsoft-365-accounts-bypasses-mfa/.
  10. 2024 State of the Phish Report: 68% of Employees Willingly Gamble with Organizational Security | Proofpoint US. 26 Feb. 2024, https://www.proofpoint.com/us/newsroom/press-releases/proofpoints-2024-state-phish-report-68-employees-willingly-gamble.
  11. Mandating Multifactor Authentication (MFA) for Your Partner Tenant – Partner Center. 11 June 2024, https://learn.microsoft.com/en-us/partner-center/security/partner-security-requirements-mandating-mfa.

Categories

Connect With Us

Featured Articles

building cyber resilience
Building cyber resilience within the evolving global supply chain
27 January 2025
Cybersecurity Checklist
Cybersecurity Checklist for PowerSchool Breach
24 January 2025
fasthttp
fasthttp Used in New Bruteforce Campaign
13 January 2025
Deepfake Fraud
Combating Deepfake Fraud is a Growing Challenge for Organizations
10 January 2025

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

inside the soc

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
shadowspear platform

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
shadowspear demo

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.