Monday, August 28, 2023

Phishing-Resistant MFA

MFA or Multi Factor Authentication is a layered approach to securing physical and logical access where a system requires a user to present a combination of two or more different authenticators to verify a users identity for access. MFA increases security because even if one authenticator is compromised, malicious users will not be able to meet the second authentication requirement and so will not be able to access the account or system or space.

A typical MFA login would require the user to present some combination of the following:
  • Something you know - like a password or PIN 
  • Something you have - like smart card, mobile token or hardware token
  • Something you are - like biometrics (fingerprint or voice recognition)
MFA not only make it more difficult for threat actors to gain access to accounts (like facebook, instagram and other information systems), devices and network systems if the user name, password and pin are compromised through Phishing attacks or other means. 

With MFA enabled, if one factor is compromised, the unauthorized actors will still be unable to access the account if they cannot provide the second factor. This additional layer protects and stops most common malicious cyber techniques. 

Organizations must implement MFA for all users for all services that they provide access for. Some of the common services email, chat, file sharing, etc. 

Not all the forms of MFA are secure. Some are vulnerable to Phishing, "push bombing" attacks, exploitation of SS7 protocol vulnerabilities or SIM swap attacks. These techniques / attacks if successful then they may allow malicious users to gain MFA authentication credentials or by-pass MFA to access MFA protected systems.

CYBER THREATS TO MFA

Cyber threat actors have used multiple methods to gain access to MFA credentials:

Phishing: Phishing is a form of social engineering in which cyber threat actors use email or malicious websites to solicit information. For example, in a widely used phishing technique, a threat actor sends an email to a target that convinces the user to visit a threat actor-controlled website that mimics a company’s legitimate login portal. The user submits their username, password, as well as the 6-digit
code from their mobile phone’s authenticator app.

Push bombing (also known as push fatigue): Cyber threat actors bombard a user with push notifications until they press the “Accept” button, thereby granting threat actor access to the network.

Exploitation of SS7 protocol vulnerabilities: Cyber threat actors exploit SS7 protocol vulnerabilities in communications infrastructure to obtain MFA codes sent via text message (SMS) or voice to a phone.

SIM Swap: SIM Swap is a form of social engineering in which cyber threat actors convince cellular carriers to transfer control of the user’s phone number to a threat actor-controlled SIM card, which allows the threat actor to gain control over the user’s phone.

Recommended forms of MFA implementation from strongest to weakest

Phishing-resistant MFA: 
  • FIDO
  • Public Key Infrastructure (PKI)-based
App-based authentications:
  • One-time password (OTP)
  • Mobile push notifications with number matching
  • Token-based OTP
App-based authentication:
  • Mobile push notifications without number matching
SMS or Voice

Featured Posts

How? Protecting from Malicious Code

Malicious code by definition is unwanted file or program that can cause harm to a system or compromise its function. We know this for a lon...

Popular Posts