MFA Is Broken, Here’s How To Fix It
Multifactor authentication (MFA) grants a user access to a website or application only after successfully providing two or more pieces of evidence to an authentication mechanism. Recently, hackers have focused on MFA and made its methods susceptible to interception.
Ask any security pro what’s the most effective protection against hackers and scammers, and they all point to one tool: multifactor authentication (MFA). It seems every sign-on today requires validating one’s account (note: not their identity) by text, app, email, or some other channel. The National Institute of Standards and Technology (NIST) considers MFA one of the basics of security.
Multifactor authentication is still one of the best cyber defenses, stopping most attacks. But lately, bad actors have focused on hacking MFA, making its methods susceptible to interception.
Gartner had warned that, with MFA in use everywhere, focusing on layered authentication factors would make it less effective and add friction to users’ experience.
“Push fatigue” from frequent authentication notifications could open the door to attacks similar to email phishing. Bad guys could get in the middle and request a user’s MFA code or send fake push requests (those queries asking, “Are you signing into another device now?”), and users, overwhelmed with constant notifications, could easily respond automatically, giving hackers access.
This combination of social engineering and push fatigue was at the heart of some recent breaches. Uber was hacked in September despite using two-factor authentication. The hacker gained access by getting a user’s credentials and then sending repeated authentication requests until the user approved one. Then the hacker was able to move around the network, using Uber’s Slack channel to announce his breach.
Why MFA Is Broken
The Uber breach shows how criminals can get around MFA and why the methodology needs to evolve. A one-time code floating around email, text, or even on an authenticator app can be coerced or intercepted, which is the root of the problem. With MFA used by almost every website and app, the volume of authentication messages gives hackers cover.
There are four basic kinds of MFA:
One-time password (OTP), a PIN sent via SMS or email
OTP apps
Push-based apps
Biometrics
The most used SMS codes for consumer and workforce authentication are quite phishable. Authenticator apps are a step in the right direction, but they are also phishable by hackers.
ADVERTISEMENT
Enhance your omnichannel service strategies with data-driven insights.
Push notifications and biometric identification raise the bar somewhat, but as the Uber breach showed, push notifications are not foolproof.
Some of these methods are what we call HBA, or Hope-Based Authentication, which require validating factors that anybody could enter into a computer — you just hope that it is the right person. With MFA, networks have some levels of assurance but don’t know who is behind that authorization.
There’s a very simple litmus test: Can you give somebody else your authentication factor to use without you? If the answer’s yes, you need a trusted identity. It is that simple.read more