Not all forms of multi-factor authentication (MFA) are created equal and the forms that are based on one-time passcodes have turned into corporate liabilities. One-time passcodes that are entered into malicious login pages or entered into a compromised endpoint can be harvested by an attacker and utilized to log in along with a harvested username and password.
In the case of the massive Uber breach in September, the attacker, after harvesting a username and password, utilized a form of MFA ‘exhaustion attack’ which means that the legitimate user is challenged over and over for a one-time passcode when the attacker attempts a login, finally entering the code to simply stop the barrage of authentication challenges which take the form of ‘push notifications’ usually to a mobile device.
Attacks like this are all too common. With the recent Uber breach, the compromise was largely enabled by a combination of social engineering (including the defeat of MFA through a spoofed relay site) and the discovery of privileged credentials hard-coded in scripts.
Users who fall for these attacks are doing what they are trained to do, which is to respond to the MFA challenge to confirm their digital identities. The problem is the weak nature of the shared secret. If the user is given a stronger form of authentication control, the problem between the keyboard and chair can be mitigated.
What alternative approaches to MFA should enterprises use?
Simply put, authentication mechanisms that are not vulnerable to social engineering are better alternative approaches. One-time passcodes, just like passwords, are a form of shared secret. Most authentication controls based on a shared secret are unfortunately vulnerable to social engineering. A one-time passcode is something that a legitimate user is trained to enter but this assumes the user knows that they are giving the secret to a legitimate authentication challenge. The user through social engineering may not realize that they are sharing their secret with an attacker.
These techniques can be defeated through modern strategies such as PKI-based access. PKI-based client certificates are not based on a shared secret and can be used in stronger authentication controls that are not associated with passwords. For enterprise users, centrally managed client certificates as a form ‘passwordless’ authentication mechanism is a better alternative.
No matter how vigilant a company’s security culture is, these fundamental vulnerabilities will remain so long as traditional username-password credentials control access.
Learn more in the recent Root Causes podcast episode 249, What is MFA Exhaustion?