Multi-factor authentication has a problem: If only one of the authentication methods used is insecure, the whole MFA is. Above all, traditional password-based MFA solutions no longer guarantee cybersecurity. On the contrary, companies are lulling themselves into a false sense of security and are even more vulnerable to attacks.
Criminal account takeovers have been a threat for some time: cybercriminals typically use the access they gain to steal or encrypt data and plant malware on corporate computers. Account takeover attacks also target the customers of the affected companies. In many cases, attackers also target the personal information stored there, which they collect and then later use for spear phishing and other social engineering attacks.
Without an MFA process and using only passwords, hackers have a much easier time penetrating a network and thereby gaining access to sensitive information. Using brute force attacks and credential stuffing, a method that involves trying previously leaked credentials en masse, attackers can easily gain access undetected by security teams.
Companies want to mitigate this risk with MFA, which presents multiple hurdles for hackers. In some sensitive industries, MFA is already mandated by regulations; for example, under the Payment Card Industry Data Security Standard (PCI DSS), the use of MFA is mandatory for employees with access to cardholder data.
The Weaknesses of Traditional MFA
Common forms of MFA rely on password authentication supplemented by one or more other factors such as magic links, one-time passwords (OTPs) and push notifications. However, what initially sounds promising offers little more security than a simple password login. The following problems should be noted:
Interception of The One-Time Password (OTP).
One of the most common forms of MFA is the use of so-called one-time passwords or OTPs. This involves sending an SMS or email to the user to type into the login portal for authentication. In theory, this provides additional protection, as an attacker would need access to the user’s phone or email account to get the OTP. In practice, however, this is less complicated than imagined.
For example, many cybercriminals resort to SIM swapping, a fraud method in which they pose as a legitimate user to the mobile operator and persuade the operator to switch the service to a new SIM card. From then on, all OTPs are sent to the attacker’s phone, allowing them to bypass the MFA for all of the victim’s accounts.
An email-based MFA is similarly insecure because it relies on the user’s email account is secure. However, if the same password is used for it as the one targeted by the attacker, a cybercriminal could easily access both accounts – and thus bypass the MFA.
Professional Phishing Attacks
Phishing is now one of the biggest cyber threats to businesses and a huge problem for traditional MFA solutions. That’s because whether it’s OTPs, push notifications, or magic links, all of these security factors can be tapped by cyber criminals.
For example, phishing emails trick users into clicking on links, or fake login pages that look like originals trick recipients into sharing the code they just received or confirming a push notification. Increasingly, however, attackers are using more sophisticated techniques such as browser-in-the-browser (BitB) exploits to present users with virtually undetectable phishing pages.
Password Recovery Vulnerabilities.
Password reset functions are intended to allow a user to regain access to their account if they have lost or forgotten their password. This is achieved by bypassing the normal authentication process and using other means to verify the user’s identity. But if attackers manage to take over email accounts – as just described – or change SIM cards, they are also able to bypass these identity checks.
The answers to “secret” questions used in password resets are often publicly available via social media or other sources. Password recovery processes, therefore, often undermine MFA by making the second identifier (email, phone, etc.) needed by an attacker to access a user’s account the sole one.
Implementing Secure, Passwordless MFA
The discussion has shown that traditional MFA solutions do not provide the protection they claim to because they use forgeable, insecure factors for authentication. If MFA is to provide true security, it must rely on authentication factors that cybercriminals cannot easily compromise. These include biometric authentication such as fingerprint scanning or facial recognition, as well as device-level security checks.
One of the main arguments for MFA with password and OTP is that it is easy to implement. However, the FIDO standards also define methods to easily implement a strong MFA. Organizations can thus require a combination of biometric authentication and device-specific private keys for their MFA, rather than simply entering a password and MFA code.
A modern passwordless MFA that uses biometrics and device-specific private keys according to the FIDO standard provides stronger and more usable authentication than traditional MFA solutions – and it minimizes the attack surface of companies in the long term.