With the rise in sophistication of credential-related threats such as social engineering and brute force attacks, passwords on their own just aren’t secure enough. The solution is Multi-factor authentication (MFA) which is increasingly becoming an extremely low-cost high-reward cybersecurity control. It’s nothing new, so why is it still the case that many organisations have yet to adopt it fully? Read on to explore various MFA control methods, from early to modern developments, and gain insights on recent attacks bypassing MFA by annoying victims with repeated push notifications.

What is multi-factor authentication?

It’s the concept of authenticating with something you know (username/password/pin) and something you own (hardware or software security token/mobile phone) to create an obstacle that an attacker may not be able to get around.

The early days of multi-factor authentication

In the early days, MFA was quite a costly option to adopt, relying on expensive tamper-proof tokens (as mobile phone technology was yet to develop sufficiently to current capabilities, e.g. smartphones). It was also a headache for system administrators to manage because tokens typically had a defined lifetime – either by battery or expiry date. These challenges hindered rather than helped organisations achieve the gold standard for authentication.

Hardware tokens

Typically, hardware tokens are LCD key fob sized devices with a known time-based algorithm running within the device, which presents a unique pseudo-code at any given time window. This code is synchronised with the authentication server, and so the authentication server is effectively aware of the valid code for any hardware token. Examples: Duo, Ubikey, RSA, Google Titan

Software tokens

Similarly, software tokens are vendor-provided modules seeded with the same algorithm and display the code on demand (when the user clicks or taps on the token application) for use.

Time-based OneTime Password (TOTP) generators

An application runs and displays a time-based pseudo-code on a smart device – usually a smartphone or tablet. Examples: Google Authenticator, Microsoft Authenticator, Okta.

Modern multi-factor authentication developments

Fast forward a decade or two, and things are very different. MFA is almost at a ubiquitous state of its evolution in terms of accessibility. IaaS providers such as Microsoft and Google make it simple to enable MFA and secure your organisation quickly and with minimal effort. Indeed, there have been recent examples of well-known organisations mandating to partners and customers that MFA be part of business as usual (for example, as was seen for Microsoft Partners and separately for Salesforce customers).

The current prevalence of smartphones makes MFA solutions highly viable, flexible, unobtrusive, and easy to deploy. Multiple options for delivery of secure codes and validation of the “something you own” tenet of MFA are available, ensuring an always-on capability regardless of coverage and mobile signal strength.

One-time pins or codes and push notifications

More modern and less hardware/software dependent methods are available to leverage one-time pins or codes (TOTP, OTP or OTC) and approvals using SMS text messaging or “Push notifications” sent to mobile phones. This still maintains the need for something you own without the need to manage a whole host of tokens (hard or soft).

Despite being the predominant use case we see today, thanks to the broad adoption from SaaS providers such as Microsoft, there are still challenges in a BYOD world. Not everyone wants to use their personal phone for work, and BYOD users’ preferences may play a part in how successful push notifications or SMS notification adoption might be. Company policies explaining what, why and to what extent additional software is necessary for BYOD deployments along with a clear statement outlining the extent of data access should be prioritised as pre-requisites to enabling rollouts to BYOD fleets.

Recent attack evolution

A new technique first observed in December 2021 from an APT known as Nobellium (the Russian cyber-espionage group that orchestrated the SolarWinds 2020 supply chain attack) sees users “spammed” with push notifications requesting approval for authentication in an attempt to bypass MFA solutions. Sadly, this has seen success in some cases where users approve or click simply to silence the notifications; because they thought it might have been a bug; or by sheer annoyance.

Mitigations

The more recent attacks, in particular, emphasise more and more the need for a very solid Security Awareness Training approach mandating that users do not “click to silence”. Instead, users are encouraged to report any push notification abuses for MFA that they may be experiencing to the Information Security team as they would/should any other unusual or anomalous events/experiences.

Even in light of this new threat, Multi-Factor Authentication remains one of the best steps you can take to protect your organisation, but as we can see, selecting which authentication method will impact how secure you might (or might not) be. Using anything beyond passwords significantly increases the costs for attackers. Combining MFA with Zero Trust and Privilege Access Management (PAM) solutions forms a panacea of identity and access management that is hard to break down for any would-be attacker.

Author

John Winchester, Secrutiny’s Director of Product Development and Operations, is a global practice leader covering people, processes, and technology. With experience in technical support, consulting, pre-sales, managed services, and people management, John has exponential experience managing multiple project managers and comprehensive change and transformation programs, helping digital organisations get the most from “digital”.