Multi-factor authentication (MFA) continues to embody both the best and worst of business IT security practice. As Roger Grimes wrote in this article about two-factor hacks three years ago, when MFA is done well it can be effective, but when IT managers take shortcuts it can be a disaster. And while more businesses are using more MFA methods to protect user logins, it still is far from universal. Indeed, according to a survey conducted by Microsoft last year, 99.9% of compromised accounts did not use MFA at all and only 11% of enterprise accounts are protected by some MFA method.
The pandemic was both good and bad for MFA uptake. By uprooting so many business users’ normal computing patterns, lockdowns and remote work provided an opportunity for increased MFA deployments—even as it provided new phishing lures for hackers.
According to surveys done by Garrett Bekker, a senior research analyst for S&P Global Market Intelligence’s 451 Research, there was a jump in those enterprises deploying MFA—from about half in last year’s survey to 61% in this year’s survey—“mainly because so many more people were working remotely. Still, most enterprises only have limited MFA usage,” he says. “But it has become their first priority going forward, even more so than VPNs.”
In the latest Verizon Data Breach Investigations Report, Bernard Wilson, network intrusion response manager for the US Secret Service, said, “Organizations that neglected to implement MFA, along with virtual private networks, represented a significant percentage of victims targeted during the pandemic.”
Besides COVID, there have been other recent pushes to use MFA:
- Last month, Google made MFA the default protection for all its user accounts. Matt Tait (former UK GCHQ analyst, now at Corellium) called the move “one of the most important cybersecurity improvements this decade.”
- In June, 2020, Apple announced that Safari 14, which was released in September and ships with iOS 14 and macOS Big Sur, would support FIDO2 protocols, joining Android and most other major browsers. FIDO continues to get better, even though implementations will require some careful study to deploy across browsers, various OS versions and smartphone apps.
- And then there was the urging for MFA deployment in President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity: “Within 180 days of the date of this order, [executive] agencies shall adopt MFA and encryption for data at rest and in transit.” That deadline falls in mid-August, 2021. (There was, of course, a lot more included in this EO, as detailed in this article.)
However, recent attacks and incidents show that security professionals have more work to do in securing two-factor and multi-factor authentication implementations.
Here are some of the ways threat actors exploit weaknesses in MFA.
5 ways to hack 2FA
- SMS-based man-in-the-middle attacks
- Supply chain attacks
- Compromised MFA authentication workflow bypass
- Pass-the-cookie attacks
- Server-side forgeries
SMS-based man-in-the-middle attacks. The biggest problem with MFA has to do with its most common implementation: using SMS one-time passcodes.
The weakness has to do with the ease with which hackers can compromise users’ smartphones and assign the phone number temporarily to a phone under their control. One way to exploit this was illustrated with this Tweet combining a one-time RSA SecurID hardware fob with a public web cam. While that may be an extreme case, SMS compromises continue to tarnish the overall utility of MFA logins.
There are several ways to accomplish this attack. One is to bribe or convince a cellular customer service agent to reassign a phone. Another method was brought front and center by Vice’s own reporter, who used a commercial service to gain access to his cellular account. By paying the service $16, he was able to reroute all of his SMS messages, illustrating how easy it would be to compromise his accounts.
Supply chain attacks. The most infamous software supply chain attack in recent memory was the SolarWinds attack, where various code components were infected, and the target companies downloaded these pieces without knowing they had been compromised. There are a variety of ways to prevent these attacks, including source code scanning at runtime.
And as Gartner’s Kasey Panetta wrote in a January, 2021 blog post, “Keep in mind that the SolarWinds attack was discovered by an alert security operator wondering why an employee wanted a second phone registered for multifactor authentication. This would imply that the attacker was aiming to leverage identity, and specifically MFA as an attack vector.”
These attacks continue to be an issue, with one discovered in April by Codecov for their Bash Uploader tool. The authentication credentials were modified by the hacker, thanks to lax Docker image security. The tool had modified environment variables inserted in the code and one way to track this was to track destination IP addresses of the command and control servers.
Compromised MFA authentication workflow bypass. Another MFA loophole is this example of a denial-of-service vulnerability in the MFA module in Liferay DXP v7.3. The recently found bug allows any registered user to authenticate by modifying users’ one-time passwords, thus resulting in locking the targeted user out. It has since been fixed.
Pass-the-cookie attacks. This is another attack method that uses browser cookies and sites that store authentication details in the cookie. Originally, this was done for user convenience, so users can remain signed into their applications. If a hacker can extract that data, they can take over your account.
Server-side forgeries. Perhaps the biggest exploit in recent history, although not exclusively an MFA issue, was dubbed Hafnium, which uses a series of attacks including server-side forgery and arbitrary file write bug to nullify all authentication completely with Microsoft Exchange servers. The attack involves four zero-day flaws in Exchange (here are some of the details). Microsoft has issued a series of patches.
Getting two-factor authentication right
These are just a few of the more notable exploits. The implications are that MFA needs some care to get it done properly and securely. “Bad MFA is like cheap sunglasses,” says 451’s Bekker, by which he means that bad MFA doesn’t offer much in the way of cyber protection. “Still, the biggest problem why it isn’t used more often by enterprises is its poor user experience.”
He points out another issue, in that “MFA is still a binary choice, like a bouncer in a nightclub: Once you are inside a corporate network, you can do what you want, and no one really knows what you are doing. To be effective, MFA has to be coupled with zero trust and continuous authentication technologies.” Numerous vendors now couple MFA and adaptive authentication products, but their implementation is far from simple.
The account recovery option is worth further discussion. Many businesses have solid MFA protection for normal account logins, but if a user forgets their password, the recovery process begins by sending an SMS passcode. This is how hackers can enter your network.
Gerhard Giese from Akamai points this out in a blog post from last year, when he talks about how MFA doesn’t always prevent credential stuffing. He says IT managers need to “re-examine your authentication workflows and login screens to make sure an attacker cannot uncover valid credentials by interrogating the web server’s response, and implement a bot management solution to make sure you are not making things easier for the bad guys.”
At the beginning of this year, the US CERT issued a warning about potential MFA weaknesses, including phishing and brute force login attempts. They recommended a variety of techniques, including enforcing MFA across all authentication activities, including account recovery, and better security around privileged access.
MFA technology should be a part of corporate security’s critical infrastructure. Recent attacks, as well as urging from experts across government and the private sector, should provide further impetus for intelligent implementations.
Copyright © 2021 IDG Communications, Inc.