Savanti Blog

Think your users are secure with multi-factor authentication (MFA)?  It may not be as secure as you think…

Written by Chris Stabb | Jul 29, 2019 7:12:55 PM

The mercurial world of IT security likes to keep organisations on their toes.  The arms race of attackers, countermeasures, vulnerabilities, and cutting-edge technologies requires vigilant proactive security measures to stay on top of it all.  

According to the 2018 Internet Crime Report, 'e-mail account compromise accounted for adjusted losses of over $1.2 billion.

The ever-increasing rate of malicious email attacks across virtually every occupation and industry makes phishing one of the most prevalent and challenging concerns for any organisation.  

These attacks are designed to compromise credentials, bank accounts, and privileged access within an organisation and their occurrence continues to trend upwards year-on-year and has become increasingly sophisticated over time. 

So, what can be done to curtail this threat?

One of the primary countermeasures to this type of compromise is for organisations to implement MFA, which is a method of authentication that requires more than just a password or a PIN for access.  Specifically, it requires some combination of two or more “authentication factors,” such as time, location, or things you have or know (such as passwords, security tokens, etc.) in order to verify the validity of a log-in attempt. 

The ubiquity of smartphones in today’s world enables a very versatile and easy way to fulfil many of these authentication factors by receiving a phone call to verify a login or by similarly receiving an approval notification prompt from an authenticator application.  

The problem, however, is that this solution may not be as water-tight as most organisations think – and it comes down to education and awareness. 

While the technology behind MFA is certainly sound, the tendency for organisations to favour user convenience combined with a general lack of security awareness can mean that some MFA configurations may be easily circumvented.  Often circumvention is achieved by bombarding users with login approval requests until they approve or by exploiting potentially vulnerable authentication factors such as SMS codes. 

In a recent engagement where Savanti implemented MFA throughout an organisation, we made sure that users were aware of what to look for when logging in.  For mobile authentication applications, we distributed some brief educational communication instructing users to be vigilant as to whether the login approval notifications were expected or not, and to never approve unsolicited login requests. 

This easy communication can mitigate a glaring risk to any MFA infrastructure.

Default MFA configurations can also be problematic.  For example, a common way to enrol users into MFA once it’s been deployed is to allow users to enrol into the MFA solution on their next successful login.  This is a great, low-impact way to deploy the technology.  However, if the option to allow users to enrol on to the next successful login isn’t disabled, an attacker armed with a compromised account’s credentials can enrol into MFA as well, which could be considered a bit self-defeating. 

MFA code verification is another authentication method found in default configurations of many MFA tools.  Most users are familiar with this method, as it has become popular to receive email or SMS messages with “one-time-passwords” to verify logins for many consumer applications, banks, and services. 

Unfortunately, attackers can go so far as to socially engineer mobile phone service providers to steal SIM card information and can quite easily intercept SMS messages containing MFA codes.  Once an attacker has a valid code, they can lock users out of any of their account, which can be difficult and time-consuming to recover.  For this reason, we typically don’t recommend using SMS code verification, especially so for administrators. 

While MFA is one of the best defences an organisation can include in their security kit, it’s important to understand how to mitigate some of the common pitfalls.  Understanding the risk associated with certain authentication factors and default configurations and communicating with your users about how MFA works and what to expect when prompted to approve a login is essential to maintaining the effectiveness of MFA. 

The technological arms race might be ever-changing, but it’s important to remember that the most important security factor to consider is often the human one. 

By Chris Stabb

We would be happy to support you on your journey, please get in touch info@savanti.co.uk or visit the chat function on our website: www.savanti.co.uk