Tom (TJ) Jermoluk, CEO of Beyond Identity, explains why legacy MFA is not a panacea for the problem of password theft
For decades passwords have been the de facto process for identity authentication. Whether logging into social media or accessing critical corporate applications, everyone is used to inputting multiple passwords every day. Unfortunately, passwords are not only ubiquitous, but they have also long ceased to be fit for purpose.
For one thing, countless passwords are stolen by cyber criminals every single day. At the time of writing, www.haveIbeenpwned.com lists approximately 11.5 million compromised passwords. And that’s just the ones they know about.
Making things worse, each of those passwords is often the key to unlocking multiple applications. Faced with the requirement to login to dozens of services and applications every day, users tend to repurpose the same handful of user/password combinations across multiple locations, often sharing them across their home and work life.
In fact, over half of workers admit to reusing their passwords across several work accounts. A single database stolen from a poorly secured website could lead to a host of breaches in several other places.
Multifactor authentication (MFA) is often heralded as one of the best solutions to the problem. Unfortunately, legacy forms of MFA also have their share of issues which can leave organisations highly susceptible to exploitation. While better than passwords alone, legacy MFA is no panacea, and businesses need a more effective approach to authentication.
Legacy MFA is not invincible
Many traditional MFA approaches begin with the password as the initial authentication factor and then require users to further verify their identity through a second factor, with delivery methods including emails, SMS and specific applications.
How secure this actually is will vary widely depending on the tool and process. Apple for example offers one of the more secure approaches for its Apple ID accounts. Users are not only provided with a push notification through the OS, but are also shown a map with the location of the sign on attempt. If the user is in London, England and gets a notification for Bucharest, Romania, they immediately know something is up.
There are a range of legacy MFA approaches. Unfortunately, most of the widely used approaches rely on passwords and other weak factors, such as one time passcodes sent via email and SMS. These have significant security flaws that have been frequently exploited by attackers. While better than passwords alone, they are not at all the ideal defence mechanism that many believe.
In addition to lacklustre security, another problem with legacy MFA approaches is that they tend to be disliked by users. And with good reason. The onus falls squarely on the shoulders of the user who must jump through numerous hoops across several devices in order to log in and simply get on with their job.
This is particularly frustrating for users accessing multiple applications that each require a second factor that is often on a different device. It’s disruptive and time consuming, and even more painful if the service is sluggish in responding.
Hijacking legacy MFA
Beyond the downsides for the user, traditional MFA comes with inherent security risks.
If the MFA verification is delivered via email, the fraudster only needs to take one additional step to trick the user into sharing their PIN. For example, the attacker can direct the victim to a spoofed landing page of a legitimate service. Once they have gathered the initial credentials (user ID and password), the criminal can use them to trigger an MFA email on the real site and steal the confirmation code when the user enters it.
SMS-based MFA can be easily bypassed by SIM swapping. This requires a little bit of social engineering from the criminal to have the phone number “swapped” to a new SIM. They can then essentially turn their phone into a copy of the victim’s and receive the verification text.
With some preparation, threat actors can also hijack MFA codes via man-in-the-middle attacks that place a proxy between the client and server, or man-in-the-endpoint attacks that can start rogue sessions in the background once a session has been authenticated.
Focusing on strong foundations
On paper, legacy MFA is an effective security practice which can eliminate the majority of attempts to compromise an endpoint or network. In practice however, flaws in the delivery create opportunities for threat actors to hijack the process.
More importantly, legacy MFA is typically layered on top of a standard password-based authentication system, which means the MFA approach is built on a completely compromised foundation.
In order for authentication to be secure, all the authentication factors need to be strong. This means moving away from traditional credentials and adopting a stronger process such as asymmetric encryption using a private key that is not shared and a public key that can be shared without compromising security.
This approach is used in Transport Layer Security (TLS), and is widely recognised as the lock in the browser window. Asymmetric cryptography is the bedrock security protocol for secure internet communications and it protects trillions of pounds of financial transactions daily.
Adopting a completely passwordless system that uses only strong authentication factors based on proven asymmetric cryptography will remove the risk of criminals stealing credential databases or using phishing techniques, and will provide a strong foundation on which to build MFA. This requires fully replacing the password, not simply covering it up with another layer.
Similarly, the second factor needs to move away from email and SMS delivery systems that are open to hijacking or other diversions. Delivering the verification through a dedicated application and secure communications channel makes it far more difficult for a criminal to insert themselves into the process.
The authentication itself needs to be something that cannot easily be replicated. Biometrics are an ideal solution as one of the factors and technology has become widely available in recent years. Most modern computers and mobile devices now have either fingerprint scanning or facial recognition as standard features. Taking Apple’s lead, the biometric data is stored locally on the device inside of special purpose hardware that is highly resistant to attack.
Modern devices lacking biometrics often use pin codes that store the pin in secure hardware on the device and also have built-in “anti hammering” protections so that the attacker only gets a few tries before the device stops accepting new login attempts.
The bottom line is that modern devices have strong primary authentication mechanisms built in. Using strong biometric authentication to prove possession of the device plus a second factor based on proven asymmetric cryptography provides a fundamentally strong, passwordless multifactor authentication method that can be trusted. Like the biometric data, the private key used in asymmetric cryptography approaches is stored within the secure hardware built into the device itself (either a Trusted Platform Module/TPM or secure enclave).
Strength in numbers
Adopting a completely passwordless multi-factor approach to authentication enables organisations to confirm exactly who the user is. Approaches that also employ asymmetric cryptography to bind the users’ identity to the device, enables trust that the user is logging in from a registered device. This has become increasingly important as organisations, particularly in the new hybrid work paradigm where employees are accessing a range of SaaS applications and cloud resources.
In addition to being able to positively authenticate the user and the device, many organisations are turning to a concept called “device trust” whereby they seek to assess the security posture of the device being used to log into systems before granting access.
Legacy MFA was never designed to authenticate the device or assess whether the security posture of the device meets security requirements. Modern solutions need this additional capability because the old network-based controls are not existent in the hybrid working and cloud computing environment.
Convenience is key
Lastly, the authentication method chosen needs to be simple, fast and consistent for end users. One of the main issues that has hindered the widespread adoption of MFA is the undue friction that it adds to the login flow. If users were only accessing one or two applications, legacy MFA that requires users to grab a second device, fish out a code and enter it into the login screen may be acceptable. While it is a cumbersome process for a few apps, it is a prohibitively time-consuming process for employees that are logging into a dozen applications daily.
A solution that leverages the built in biometric for the first factor and asymmetric crypto as a strong and seamless second factor, is ideal from both a security and convenience perspective.
Tom (TJ) Jermoluk is CEO of Beyond Identity
Main image courtesy of iStockPhoto.com