For the average corporate employee, optimal cybersecurity is adding another digit to the end of their recycled password. But with ever-evolving cybercrime tactics, even the strongest passwords have limitations. To stay secure, companies must, at a minimum, implement a robust multifactor authentication (MFA) system.
MFA is a form of access control that requires multiple forms of proof to grant an authorized user access to a system. Typically, MFA consists of a password, plus something else. The “something else” usually falls into one or more of these four categories: knowledge, possession, inherence, and location.
The Four Factors
You are probably most familiar with knowledge, which typically takes the form of challenge questions. You enter your username and password and then answer a question. Something like, what was the name of your first pet? Or, which one of these addresses is not somewhere you have lived?
Possession relies on something you have—often your smartphone. For example, you log in with your credentials and then authorize the login by tapping a push notification on your phone. Possession may also involve a physical key (typically a FIDO2 U2F USB key) that you connect to a device to authorize a login.
Inherence is another factor that relies on something that is inherently yours, such as your face or fingerprint, also referred to as "something you know."
Finally, with location, authorized access hinges on where you are. For example, you are logged in at your office located in Boise, but a login attempt is coming from Moscow. Since you cannot be in two places at once, the Russian login attempt triggers an impossible travel alert and is blocked.
Increasingly, companies are relying on possession for MFA. Users must log in using a username and password. Then they pull a one-time passcode (OTP) from an authenticator app, such as Microsoft Authenticator or Google Authenticator, to complete the login.
There are other solutions for this configuration, each with its own security limitations. For example, instead of an authenticator app, users can elect to receive an OTP via a phone call, a push notification, or SMS (more on this later).
The Case for Widespread MFA
Most companies require MFA to access their networks. For several reasons, you should enable MFA on your personal accounts as well.
The first reason is the growing obsolescence of passwords. Most passwords are easily guessed or already have been leaked. Consider HaveIBeenPwned’s Pwned Passwords search engine. This legitimate search engine has compiled hundreds of millions of passwords that were exposed in data breaches. Skilled cybercriminals use these password lists, often culled from the dark web, for brute-force attacks. You can think of brute-force attacks as massive guess-and-check operations. If your favorite password did not make HaveIBeenPwned’s list, it is only a matter of time before it does.
Related: Your Pa$$word Doesn't Matter
The second reason is social media. If you are a Facebook user, you have probably seen viral re-shares of posts asking people to post a photo of their first car or share their “stripper name” (a combination of your middle name and street). These bits of information are often what a cybercriminal needs to pass knowledge-based MFA.
Finally, remote work is another reason to enable across-the-board MFA. In many cases, a personal device may also be a work device, stemming from the rise of bring your own device (BYOD) work environments. A skilled cybercriminal can move laterally on any of these devices, compromising work and personal information. Properly configured MFA may help thwart lateral movement.
How Cybercriminals Bypass MFA
No security system is impregnable, and cybercriminals are producing ingenious ways to circumvent MFA. Phishing attacks are one method. Cybercriminals will use seemingly legitimate emails to con users into granting access to one of their authentication factors.
SIM card swapping, also known as a SIM jacking attack, is another tactic. With this method, a cybercriminal will port your phone number to a new mobile phone. Once they have obtained your account password, the text message with your OTP gets pushed to their phone. This happened to Twitter CEO Jack Dorsey in 2019.
Some cybercriminals are also great actors. With enough identifying information, they can convince a service provider, such as a bank, that they are you, lulling them into bypassing MFA. After they have breached your account, they will change your credentials, locking you out. Read about how we used this tactic in a recent social engineering exercise here.
Finally, there are man-in-the-middle (MITM) attacks like transparent reverse proxies (TRPs). In a TRP MITM, a cybercriminal puts a phishing toolkit between a victim and a target webserver. These toolkits often look like the real site you are attempting to reach, but they are actually gateways that allow requests to pass through to the legitimate site. Here is how it works:
A victim lands on one of these toolkit sites, and it looks like the real thing. They input their credentials, which are simultaneously piped to the cybercriminal and to the legitimate site. The real site sends a one-time passcode (OTP) to the victim, who feeds it into the fake site for the malicious actor to authenticate with. Common transparent reverse proxies include Modlishka, Nercrobrowser and Evilginx2.
The best way to avoid TRP MITM attacks is to employ the earlier mentioned FIDO2 U2F USB keys. Yubico keys are popular and relatively cost-effective compared with past solutions. Beyond minimizing opportunities for cybercriminals, FIDO2 keys are fairly durable and require no internet connectivity to work.
How to Better Protect Yourself Beyond Two Factors
To get the most out of MFA, it is best to leverage three factors of authentication, not just two factors of authentication (2FA). Robust MFA requires at least three of the four of the factors: knowledge, possession, inherence, and location. Redundancy is a critical component of security, and as special forces like to say, two is one and one is none.
Related: Mitigation Steps for Businesses
Many organizations today are starting to roll out location as an authentication factor utilizing enterprise solutions like Okta and Azure Active Directory. Features like Impossible Travel Detection and Velocity Behavior Detection can help detect attempted simultaneous logins from far-away locations and attempts deemed block anomalous. Location as a third factor is another great solution to helping prevent successful TRP MITM attacks.
Rolling Out an MFA Solution
Your IT team should ensure that MFA is deployed across all essential systems. Examples include payroll and HR, which are both rich in valuable information for cybercriminals. Email and other communications systems should also be covered, as well as anything banking- or wire-related. Ideally, leveraging a centralized authentication solution with Azure AD, Okta, or a similar solution is best so that role-based access control and security logging is handled in one place.
Finally, in the post-pandemic world of bring-your-own-device (BYOD) culture, MFA should be enabled on any personal devices that access work applications or accounts. In fact, if your people are accessing anything more than email on their personal devices, you may want to simply port them through a VPN tunnel.
Regardless of which solution you choose, MFA is the new access control standard. For now. In the cybercrime arms race, this solution may soon become obsolete too. Remember, there is no silver bullet for cybersecurity. It is an ongoing process, and no single solution is a replacement for a defense-at-depth approach.