The past decade, including the two years (and counting) of the COVID-19 pandemic, has given us a major reality check for cybersecurity: passwords are becoming passé. Gone are the good old times when users, within the comfort of their office spaces, could access organizational networks by entering a mere word or phrase.
Attacks targeting password-based authentication, combined with the burden for users to remember their passwords or phrases, have exposed several security cracks in password-based authentication systems. The friction-heavy user experience has prompted companies to look out for better alternatives that can fortify their hybrid networks in a hassle-free way.
In order to reduce the dependency on knowledge-based credentials, organizations resorted to incorporating personalized factors into their verification procedures, leading to the rise of multi-factor authentication (MFA). While authenticating into a resource, MFA prompts the user for an additional authentication window that requests the following credentials:
These requests are delivered to users via push notifications. By using MFA, a network can authenticate using an additional factor that is unique to the user without having to overstep the bounds of their privacy. MFA, with two-factor authentication being the popular tool in use, is seen as a highly suitable method to authenticate users in the face of a growing threat landscape, as it diminishes the possibility of security gaps brought by password-based authentication. Despite bringing additional stringency, MFA has its own share of vulnerabilities that are prone to exploitation.
MFA can lead users and networks to many security pitfalls that can endanger network infrastructures.
Interception of passcodes: MFA makes use of possession factors, such as OTPs and other temporary passcodes, that are sent to a user's personal or work device. By using SMS as a means to send unique passcodes, authentication systems run the risk of getting intercepted by bad actors due to the SS7 protocol, a telecommunications framework that facilitates SMS-based communication and other services that connect mobile networks worldwide.
Networks that use the SS7 protocol have been subject to several eavesdropping attacks. As long as mobile networks continue to leverage SS7, devices will be prone to threats that exploit cross-protocol attack vectors. Besides SS7 attacks, attackers can get hold of passcodes by SIM swapping, which allows spoofing of a victims' SIM card information via their phone number.
Malware attacks: One of the most significant instances that involved malicious code to compromise MFA is Cerberus, the banking malware whose remote access Trojan (RAT) functionalities allowed attackers to steal victims' 2FA codes from the Google Authenticator in Android devices. By getting hold of the codes, attackers gained unauthorized access to the personal information and processes held by the victim's mobile device.
Push attacks: Also referred to as push notification attacks, push fatigue attacks, and MFA-prompt attacks, this social engineering technique involves attackers mimicking the push notification feature of MFA in the victim's devices. This is followed by spamming the victims with prompts until they give in and offer their credentials. Much like brute force, push fatigue attacks are executed in higher volumes as their success is dependent on the probability of the victim clicking the notification. According to HYPR and Cybersecurity Insiders' 2022 Passwordless Security Report, push fatigue attacks grew by 33% since last year, making it an adversary that cannot be ignored.
Pass-the-cookie: Similar to a pass-the-hash attack in AD, this technique exploits artifact information created after the network opens a session via MFA. So users won't be re-prompted to furnish knowledge-based factors in subsequent sessions, cache memory and cookies keep their credentials (such as usernames and passwords). This information is encrypted for the user using Data Protection API (DPAPI). However, such information can be compromised when an attacker extracts the session cookies by executing malicious commands on the victim's computer.
Just like any security component, MFA has its own set of imperfections and can be prone to manipulation. But these vulnerabilities should not come in the way of its implementation. Instead, mitigation steps can be taken to ensure that the attack surface surrounding MFA systems is minimized. Some of the few actionable steps to secure MFA include:
Re-authenticate user identity: To make session-related cookies redundant, MFA must not allow the retention of a user's credentials after opening a session. Stringent policies are necessary to ensure that cookies are regularly cleared.
Avoid SMS-based MFA: With SMS-based authentication flows proving to be vulnerable to attack, solutions must make optimal use of hardware security devices such as smart cards, YubiKeys, and other U2F keys that adhere to open-standard protocols like FIDO2.
Obfuscation: The idea of 'data protection by design' must be kept in mind before developing or implementing MFA solutions. Obfuscation, which refers to the encryption of sensitive code, must be performed at a developmental stage so that the application's display is rendered meaningless to attackers. This reduces the chances of reverse engineering of MFA windows.
Strengthen data security: Encrypting data sets associated with MFA solutions, which include APIs, application preferences, libraries, and metadata information, must be of top priority.
While MFA is a tool of the present, organizations and open standards have started to gravitate towards passwordless authentication solutions. With an estimated size of $12.79 billion in 2021, the global passwordless authentication market is expected to reach $53.64 billion from 2022-2030, with a CAGR of 16.7%.
The advent of biometric authentication has opened up a world of possibilities, wherein users can be verified without the intervention of a collection of strings, or any acquired credential for that matter. In a major step to push password-free authentication, several IT leaders gathered in 2012 to form the Fast IDentity Online (FIDO) alliance. According to its website, FIDO protocols "use standard public key cryptography techniques to provide stronger authentication."
FIDO2 uses both public and private keys to authenticate and secure user identities. When a user's client device verifies their identity to a FIDO-supported platform, the server creates an authentication pair which consists of both the public and the private key. While the user receives the public key, the private key is retained by the server. Subsequently, when the user logs into the platform after providing a username and password, the platform requests the user to sign a challenge. The client device uses the public key to sign the challenge and gain access.
At present, the transition from MFA to passwordless must be accompanied by various changes, such as reducing the dependence on SMS delivery by generating codes locally. By making optimal use of FIDO2 standards and personalized credentials, organizations can experience a smoother shift between the two authentication mechanisms.