Why relying on multi-factor authentication is a dangerous tactic
- Published: Tuesday, 24 May 2022 09:10
Multi-factor authentication (MFA) is now a common aspect of access control systems, strengthening password-only approaches. However MFA has proven to be vulnerable to attackers and over reliance on it can put an organization at risk. Julia O’Toole explains…
The Cybersecurity and Infrastructure Security Agency (CISA) and FBI Cyber Division recently released a joint Cybersecurity Advisory (CSA) warning organizations that Russian state-sponsored cyber actors have gained network access through the exploitation of default multi-factor authentication (MFA) protocols.
Since the Russia-Ukraine war started, we have seen hacking groups like Conti, Anonymous or the IT army of Ukraine pledging support for either side. Insurance carriers were quick to reclassify such cyber attacks as acts of war, triggering changes in insurance exemptions to reflect the rising risks of ‘spillover damages’ outside the conflict zone. As ransomware now comprises 75 percent of cyber insurance claims, more gangs announced that they are acting independently of the Russian Federation or Ukraine, in the hope insurance companies will keep funding the ransoms.
Alongside this, new entrants such as the Lapsus$ group are using low-tech methods to get employees credentials and advertising their access to victims through Telegram, companies face increased risks, impact, and frequency of cyberattacks. The situation is pushing more companies to change their cyber resilience strategy. Rather than spending hundreds of thousands on insurance policies that may not pay out in case of ransomware or business interruption, companies find themselves better off investing improving their cyber defences / defenses to prevent attacks in the first place.
MFA doesn’t stop password phishing or fraud
Many organizations have used MFA to prevent hackers from accessing their network. But relying solely on MFA is not enough. MFA means multi-factor authentication, which means involving a second, third, or even fourth factor of authentication.
After users enter their first factor which usually is a password, they receive a token sent to one of their devices, which they then have to click to accept, or copy and paste to validate the authentication. But this only works when you can rely on the first factor.
The problem is that first factor is actually compromised from inception. In the physical world, when employees start a job, the company hands over the keys, cards, and fobs to access their building, lifts, and rooms. When they leave, the company takes them back. But in the digital world, companies apply the reverse. Employees are asked to make their own keys (passwords) to access the company network and infrastructure.
In doing so, companies effectively hand over their access control to their employees and expose themselves to human liabilities such as passwords phishing, loss, theft, reuse, unauthorised sharing, and fraud. After losing access control in the first place, companies should consider all their passwords compromised by default, which means MFA can no longer guarantee legitimate access. What MFA provides here is a false sense of security.
In the absence of access control, examples of MFA exploits are abundant. As early as May 2021, Russian state-sponsored cyber actors gained access to a non-governmental organisation via exploiting default MFA protocols to control their network.
As well as this, the hacking group Lapsus$ were able to breach Okta, by simply sending repeated MFA approval requests to the phone of employees at a third-party support provider in the early hours of the morning, until they begrudgingly approved the request in a bid to return to sleep.
MFA doesn’t stop ransomware
Not only is relying on MFA without access control dangerous, it is even riskier when combined with user single access solutions like SSO, IAM, or PAM. The recent breaches by Lapsus$ have exposed the problematic approach of centralising all data behind a single door.
In a single breach in mid-February, Lapsus$ stole 1 terabyte of data from Nvidia, including the usernames and passwords of more than 71,000 Nvidia employees. More recently, the Okta breach impacted client organizations relying on Okta to authenticate access after Lapsus$ found an Excel document titled DomAdmins-LastPass.xlsx in Sitel's environment.
The possibility of losing it all in such scenarios is a nightmare for any organization, exposes the limitations of centralised access, and makes the idea of unique user control redundant once a system is compromised.
Stop confusing identification and authentication
To genuinely build cyber resilience, companies need to come back to lessons learned in the physical world and stop confusing identity and access. The distinction is clear in the physical world. You show your ID to someone when you cross a border, withdraw a large sum from a bank, or sit an exam to prove your identity - this is called identification. But when you go home or to the office, the door doesn’t recognise you and open for you; if you have the key, you have access - this is called authentication.
Just as no one needs to hammer a key when they want to open a door, there is no need to remember and type passwords. People just need to have the right key and use it. Just as no one uses a single key that can open their house, their car, their office, every system should have a different password that they don’t need to know or remember. To effectively take back control of their own access, companies just need to apply those principles.
In practice, segmenting all systems access and distributing encrypted passwords to their employees would remove the potential for human fault entirely from the equation, as no one creates, sees, or types a password. Fixing the cause of the problem of access management would not only help companies regain command and control of their access and data, it would also save countless hours training employees on passwords policies that don’t work.
While investing in multi-factor authentication makes sense when companies control and segment their access, alone it certainly can’t protect a network. To protect their business, companies should urgently focus on integrating the entire process of password creation, distribution, use and expiry into their management process, the way they do in the physical world, without changing infrastructure. This would mechanically boost their cyber-defence and prevent hefty ransom payments.
Julia O’Toole, CEO of MyCena Security Solutions.