Improvements in Multifactor Authentication

One of the most effective ways to stop cyberattacks is through multifactor authentication (MFA), a central component of a robust identity and access management (IAM) policy. Used in conjunction with the principle of zero trust, MFA can significantly reduce incidents of unauthorized entry into your network. But is MFA working as well as it should, and how is it being improved to keep your network and systems safer? Let’s take a look.

What Is MFA and How Does It Work?

MFA is a method of authentication that requires a user to verify they are who they say they are using two or more forms of verification. Instead of just entering a username and password, which can easily be stolen and used by a malicious actor, the user will also need to use one or more of the following:

  • A verification code that is sent to them
  • Answers to personal security questions
  • Biometric authentication, such as a fingerprint or facial recognition
  • One-time passcodes
  • Software-based certificates or tokens
  • Behavioral analysis

The most used authentication modes are the username/password and one-time passcodes. However, these may no longer be adequate.

MFA Vulnerabilities

Cybercriminals have access to the same technology everyone else does, which has allowed them to become increasingly sophisticated in their attacks. And with the increasing use of MFA, attackers are starting to find ways to get around this protection. Particularly since most of the MFA systems still rely largely on human behaviour to function.

In addition, it is easy for organizations to think that out-of-the-box MFA solutions are enough to protect them or they are implementing an MFA solution primarily to satisfy their cyber insurer. With this in mind, here are several vulnerabilities to be aware of regarding MFA.

Second-factor Authentication Can Be Vulnerable

Just because you are not relying solely on a username and password combination for authentication, it doesn’t mean the second factor required for authentication is completely secure. In most cases, an SMS code, push notification, or one-time password (OTP) is required, but these can leave you open to attack.

In fact, Microsoft has warned companies and individuals to stop using SMS-based authentication on smartphones because the signals to and from the phone can be intercepted by anyone who is within radio range or gains access to the switching network. The same can be said for push notifications and OTP. In addition, this type of authentication is vulnerable to phishing attacks.

Passkeys Used by MFAs Can Be Bypassed

Essentially, once a user has passed authentication and gained access to a system or network, session cookies stored on their device browser allow them to gain access again and again without needing to repeatedly go through authentication. If attackers gain access to these session cookies, they can bypass security and infiltrate the user’s account, giving them full access to the network.

Passkeys are designed to prevent this from happening, but passkeys rely on the security of the platform in use. This means that the user’s Google, Apple, or other credentials are what the business is relying on for their own security. And those credentials are easy to bypass.

MFAs Are Still Vulnerable to Phishing

While MFA might be phish-resistant, it is not phish-proof. SMS, OTP, and push notifications are all vulnerable to phishing. Even companies like Cisco have fallen prey to phishing attacks that have convinced users to supply multifactor authentication credentials for an attacker to gain access to their systems.

The Future of MFA

So, what is the answer to the MFA dilemma? This method of protecting your network is sound, but you need to move away from SMS, push notifications, OTP, and anything that is vulnerable to social engineering and phishing attacks. This means removing the human factor from the equation by adopting the use of an authenticator app (sends a passcode that is encrypted) or one or more of the following passwordless forms of MFA:

  • Biometrics – Having the user use parts of their body, such as a fingerprint or facial recognition, for authentication. This is something that cannot be stolen.
  • Physical object – Devices or other physical objects that are registered and can be verified without a password.

An example is FIDO and WebAuthn. In this case, the authentication relies on the device itself (such as a smartphone), rather than a password, and device access requires the user’s unique biometrics. This way, there is no information an attacker can steal to gain access to a network or system, and if they steal a device, they cannot use it to gain access because they don’t have the biometrics to open the device.

At Platinum Technologies, we take a modern approach to digital identity and access management and authentication. Contact us today to learn how we can help you improve your MFA so you can protect your organization against attacks.

You May Also Like…

Share via
Copy link
Powered by Social Snap