For more than a decade, I have been advocating for more use of multifactor authentication (MFA). Far too many online transactions still occur using simple passwords that are often reused, copied, given away by accident, shared, stolen, forgotten and/or written down on yellow sticky notes all over the office.
Here are two blogs from 2014 and 2021 that get more in depth on MFA:
How to Be Safe Online Using Passwords — With Another Step: “The National Cyber Security Alliance is taking the online safety message to a city near you. A national campaign is spreading the word that multifactor authentication is easy to use and available now — often for free.”
Email Security, Working from Home and World Password Day: “What is the future of passwords? More urgently, how are you doing with using (or reusing) passwords now? Here are some helpful tips ahead of World Password Day on May 6.”
But a new study from the U.K. found that only about one-third of organizations use MFA. Another study in 2019 in the U.S. found that approximately 57 percent of organizations used MFA, but that most organizations did not use MFA for all applications or access.
Bottom line, with the growing breadth and depth of cyber threats using stolen credentials, MFA is clearly better than passwords used alone. More organizations, and individuals, should utilize MFA when it is available. For example, commonly used applications at home such as LinkedIn, Facebook and Gmail offer free MFA that is not used enough.
ALTERNATIVES PLEASE — HOW DEFEATING MFA IS A GROWING TREND
But this blog is about the rest of the story. Wired magazine recently posted an intriguing article entitled “A Sinister Way to Beat Multifactor Authentication Is on the Rise.”
Consider this excerpt: “Some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection. …
“’Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,’ Mandiant researchers wrote. ‘The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.’”
The article goes on to show new ways that criminals are able to trick users, who think their MFA authentication secure, into granting access into systems.
WHAT IS FIDO?
This introductory video describes in simple terms how Fast Identity Online Alliance (FIDO) can help:
The FIDO Alliance website starts with this message: “Simpler, Stronger Authentication — Solving the World’s Password Problem.”
Here’s an excerpt: “The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.
“The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.”
I encourage readers to explore this FIDO-certified software showcase, which lists the companies leading the FIDO charge.
This article from NextGov outlines the federal government adoption of FIDO2. Chris DeRusha, former federal CISO, said this: “Identity is a key pillar of the U.S. government’s zero-trust strategy, and a significant component of that is ensuring federal agencies use strong multifactor authentication that defends against phishing, one of the most common enterprise threat vectors … To achieve this consistently, we expect that federal agencies will need to complement their use of PIV with devices that support FIDO2 and Web Authentication standards, while phasing out weaker approaches that provide less protection against real-world phishing campaigns.”
We are in a complex time within the cybersecurity industry regarding many new technologies — especially identity management and authentication. Almost everyone agrees that implementing a zero-trust architecture is a must, as stated in presidential executive orders.
At the same time, improving authentication and identity management is seen as an essential early (if not first) step in the zero-trust journey. While MFA is clearly a better solution than passwords alone, some forms of MFA are now being defeated.
As more cyber attacks emerge (and succeed) against MFA solutions, it is important for enterprises to start paying attention to the FIDO Alliance and new technologies that strengthen authentication.
window.fbAsyncInit = function() FB.init(
appId : '314190606794339',
xfbml : true, version : 'v2.9' ); ;
(function(d, s, id)
var js, fjs = d.getElementsByTagName(s);
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "https://connect.facebook.net/en_US/sdk.js";
(document, 'script', 'facebook-jssdk'));