Ask any security pro what’s the most effective protection against hackers and scammers, and they all point to one tool: multifactor authentication (MFA). It seems every sign-on today requires validating one’s account (note: not their identity) by text, app, email, or some other channel. The National Institute of Standards and Technology (NIST) considers MFA one of the basics of security.
Multifactor authentication is still one of the best cyber defenses, stopping most attacks. But lately, bad actors have focused on hacking MFA, making its methods susceptible to interception.
Gartner had warned that, with MFA in use everywhere, focusing on layered authentication factors would make it less effective and add friction to users’ experience.
“Push fatigue” from frequent authentication notifications could open the door to attacks similar to email phishing. Bad guys could get in the middle and request a user’s MFA code or send fake push requests (those queries asking, “Are you signing into another device now?”), and users, overwhelmed with constant notifications, could easily respond automatically, giving hackers access.
This combination of social engineering and push fatigue was at the heart of some recent breaches. Uber was hacked in September despite using two-factor authentication. The hacker gained access by getting a user’s credentials and then sending repeated authentication requests until the user approved one. Then the hacker was able to move around the network, using Uber’s Slack channel to announce his breach.
Why MFA Is Broken
The Uber breach shows how criminals can get around MFA and why the methodology needs to evolve. A one-time code floating around email, text, or even on an authenticator app can be coerced or intercepted, which is the root of the problem. With MFA used by almost every website and app, the volume of authentication messages gives hackers cover.
There are four basic kinds of MFA:
- One-time password (OTP), a PIN sent via SMS or email
- OTP apps
- Push-based apps
The most used SMS codes for consumer and workforce authentication are quite phishable. Authenticator apps are a step in the right direction, but they are also phishable by hackers.
Push notifications and biometric identification raise the bar somewhat, but as the Uber breach showed, push notifications are not foolproof.
Some of these methods are what we call HBA, or Hope-Based Authentication, which require validating factors that anybody could enter into a computer — you just hope that it is the right person. With MFA, networks have some levels of assurance but don’t know who is behind that authorization.
There’s a very simple litmus test: Can you give somebody else your authentication factor to use without you? If the answer’s yes, you need a trusted identity. It is that simple.
Identity-based authentication, where you can look somebody in the face, so to speak, and know the user authenticating is the user meant to be there, can help fix this broken MFA environment.
With identity-based authentication, a user is verified securely with factors that are hard to fake, such as a government picture ID, biometric markers, or some other non-hackable element, creating a digital identity to present every time authentication is required.
Several standards are in place to govern this identity proofing, such as the federal government’s NIST Publication 800-63, which gives guidelines for identity-proofing employees and users enrolling in an identity access management (IAM) service and gives administrators options for matching the user’s risk profile and access requirements.
Now that the bad guys have started getting their hands on authentication factors, it’s time to step up the practice and apply identity verification to many assets CISOs may not have considered.
Organizations such as the Kantara Initiative and the FIDO Alliance have stepped up to assess the compliance of identity systems and credentials providers against the NIST standards, Kantara by certifying the levels of assurance for an identity, and FIDO by offering a framework to use public key cryptography and a biometric factor.
The presence of these certifying bodies can move CISOs to act and push identity authentication forward.
How To Fix MFA
In a NIST 800-63 process, two strong forms of identification are linked to a real-world identity. The identity stays with and can only be leveraged by the user, independent of what system the user tries to access.
A private key works behind the scenes to control access, connected to a biometric marker encrypted for security. Biometric authentication is one key way to link an identity to a user with an authenticator. You can’t give your face to someone else, and there are many ways to prevent bad actors from using a picture to trick facial recognition tools.
Once that identity proofing is done, a couple of strong authenticating factors are linked to it, such as a driver’s license validated by the issuing department of motor vehicles or a passport. This process happens in seconds, thanks to machine learning algorithms that match a person’s face to the one on the license.
In a couple of minutes, you can have a strong identity that only you control and can be transmitted to admins, whether it is to open a bank account or onboard a new hire. Compare that to HR typing in dozens of fields or trusting that the documents belong to the right person, and it’s a whole new ballgame.
Hackers take advantage of friction, of the constant password reset requests and verifications. One way to close that attack vector would be to eliminate passwords altogether, mixing MFA and identity-based authentication. Passwordless authentication is being talked about by nearly every company in the identity space because it removes the knowledge factor that can be stolen.
Passkey Balances Usability and Security
One of the challenges with FIDO guidelines was using devices such as mobile phones as authenticators, with users keeping a key there or on a computer. If that device was lost, there was no reliable way to back up that key. The industry has an answer now, the FIDO passkey, which is making passwordless authentication much more usable in the consumer world.
Tools like passkey strike a balance between usability and security. Passkey can back up a private key into secure cloud storage — for example, Apple Keychain — so if the phone or computer is lost, it’s a matter of going through a restoration process, in this case, through Apple Wallet, which is well-secured. Another feature, device public key, lets only one device authenticate identity, not others.
FIDO standards are also being incorporated into continuous authentication, an identity management trend that Gartner has focused on lately. It’s the ability to continuously know that person is still at the other end of the digital connection.
However, if you ask the user every five seconds: “Are you there? Scan your face,” they’ll probably throw their phone out the door and go work elsewhere. It is a balance of security and usability. Still, it is getting easier to engage with the users, thanks to technology that can authenticate as fast as going by a computer or phone camera.
The thousand-mile journey starts with the first step. One recommendation for companies interested in this level of security is to pick two of the most used systems — your SSO systems such as Okta, Ping, Foregrock, or Azure AD, and your operating system (Windows/MAC) and get rid of the passwords there.
You’ll learn a lot from those efforts, and the lessons learned from that part of the deployment will help them figure out the other eight or nine areas to focus on next and how to tackle them. Moreover, by tackling these two target systems, you can get rid of over 50% of your passwords and have significant cost savings along the way via reduced helpdesk calls and user productivity increases.