Has Multi-Factor Authentication Failed Us? | by PCMag | PC Magazine | Apr, 2023

More and more companies are requiring multi-factor authentication internally, yet data breaches are on the rise. Is MFA still the best way to protect our online accounts?

By Neil J. Rubenking

We at PCMag frequently exhort our readers to enable multi-factor authentication (MFA) whenever it’s available. Without MFA, any schmo who steals, hacks, or guesses your password can access the related account. When MFA is engaged, the password isn’t enough—getting into the account also requires another factor, like a fingerprint, or a security key.

For your personal accounts, MFA is usually optional, but businesses can require it for access to their internal systems. More companies than ever support MFA, yet 2022 was a terrible year for data breaches. Did MFA fail us?

A presentation at the RSA Conference in San Francisco explored this topic in detail, using prominent examples of data breaches involving MFA. The presenter, Dave Taku, is the Senior Director for Product Management and User Interface at RSA Security, a company whose business includes providing MFA to businesses. (Note that RSA Security is not directly connected with the RSA Conference.)

Taku led by noting that according to one survey, 78% of organizations were using MFA in 2022, up from 28% in 2017. So why are successful attacks on the rise? He presented a quote from author and philosopher Aldous Huxley for the audience’s consideration: “There is a law of Reversed Effort. The harder we try with the conscious will to do something, the less we shall succeed.

“Is that what we’re facing? The harder we try with MFA, the less successful we’re becoming at it?” said Taku. “I would argue that in this particular case, maybe that law doesn’t apply. It’s not because MFA is becoming less effective, it’s because the attack surface is increasing.”

Taku discussed three specific attacks involving three different vectors: MFA configuration, the MFA provider, and the MFA user. None attacked the authentication technology directly; rather they circumvented it. “MFA is still your best defense,” said Taku.

In March 2022, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) reported on a state-sponsored attack against an unspecified non-governmental organization. The attackers identified an orphaned account within the organization, one not associated with any individual. With nobody using the account, there was nobody to notice as the attackers brute-forced the account password.

Having acquired the password, the attackers used it to enroll in MFA. With the now-verified account, they gained access to the VPN, and leveraged that into cracking the Domain Controller. The Domain Controller itself required MFA, but the attackers managed to disable the MFA response, which caused the controller to simply skip MFA. Now at the pinnacle of control, the attacking group retained access to the NGO’s network for 10 months.

“Multi-factor authentication needs multi-factor enrollment,” noted Taku. It shouldn’t have been possible to enroll just using a stolen password. He listed numerous possibilities, among them credentials handed out in person, a one-time password, or a PIN sent to the employee’s registered email or mobile.

Also in March 2022, a group dubbed LAPSUS$ hacked multiple companies, among them Microsoft, Nvidia, and authentication provider Okta. The attackers wisely avoided directly challenging Okta, instead working to compromise a subcontractor, Sitel. That attack succeeded in gaining the attacked administrator powers, in part due to modifying a file called DomainAdmins-LastPass. This gave them the ability to reset passwords for Okta customers at over 360 companies.

“I work for RSA, a competitor of Okta,” said Taku, “but I’m not here to bash Okta. Okta did a good job of containment but got a black eye for lack of transparency.”

Taku then delved into a somewhat technical area called risk-based identity intelligence, explaining that “when a user authenticates, it’s more than just presenting a credential.” He noted that it’s important to dynamically validate that the access makes sense and check all available factors to verify the user’s identity.

The third example breach involved Uber, in September 2022. The hacker obtained an Uber employee’s Active Directory password. “Was it brute force? Social engineering? We don’t know,” said Taku, “but they’ve got the first factor of authentication already.”

“Access was protected by two-factor authentication using mobile push,” continued Taku. “A push notification comes to your phone and says, is this you? Approve or deny.” The hacker triggered the push notification over and over, hoping the user would, through fatigue or error, approve the connection. Taku noted his approval of the term “Prompt Bombing” for this attack.

When that doesn’t work, the attacker calls the victim claiming to be the Uber help desk. “We’re running a test. Can you please approve this time?” said Taku. “It’s just an old-school social engineering attack.” In the end, the attacker gained access to Uber’s cache of reported (but not fixed) bugs, setting up for further attacks.

Taku pointed out that this sort of attack can be foiled by a system that locks the account after so many failed login attempts. He also noted that there are push authentication techniques that force user engagement, such as asking users to tap a particular code in the mobile app. The forced engagement negates the MFA fatigue induced by prompt bombing.

Taku went on to note that FIDO authentication using passkeys can also serve as a form of MFA that’s tough to crack, but he came down on current efforts to make passkeys portable. “Now all I need is your iCloud password and I can download your FIDO keys,” he noted. “It’s great for convenience, terrible for security.”

Taku wrapped up with three takeaways for the audience.

• 82% of attacks involve the human element. “We should use invisible authentication enhancements, so we’re not vulnerable to human error,” said Taku.
• “MFA is still your best first line of defense,” he said. “Three high-profile attacks involving MFA, but none of them was a fundamental breach of the underlying MFA technology.”
• Security involves more than just MFA. Taku floated enhancements such as Zero Trust principles, Identity Governance, and securing MFA enrollment

So, there you have it. Multi-factor authentication is still the best way for authentication, way better than passwords. Breaches that seem to involve MFA all prove to be techniques for circumventing it.