Why I’m So Hard on Most MFA
I have to be the world’s most vocal critic of most multifactor authentication (MFA). I know MFA doesn’t solve 99% of the cybersecurity world’s problems (despite vendors and leaders saying it). Most MFA is far too easy to hack and bypass. Most of the stuff I’m forced to use is just barely this side of security theater. Nearly all of it overhyped and overpromised (there are notable exceptions, like FIDO-enabled Yubikeys).
I like many MFA solutions (https://www.dhirubhai.net/pulse/any-mfa-vs-good-roger-grimes/), just not most of the most popular solutions that most people use…at least not yet.
My biggest problem is that most MFA solutions is that they can be easily phished and bypassed, as easily (or nearly as easily) as a password, which was the major reason they were supposed to replace. Phishing and bypassing can be done a bunch of different ways. The most common way is known as Man-in-the-Middle attacks (although Microsoft calls them Adversary in the Middle attacks, I guess to be more gender neutral).
With most MitM attacks, an attacker sends a potential victim a phishing message (usually via email) that incentivizes the potential victim to click on a rogue link that the victim thinks is taking them to a real, legitimate site or service. Instead, that rogue URL link takes the user to a MitM site/service that then redirects all requests from the user to the real, intended site/service. The MitM site/service can now capture all the information sent between the user and the real site/service (graphic summary shown below).
The hacker can then reuse the victim’s MFA authentication code, if they provide one, or simply take or copy the resulting access control token that allows the user to access the protected web site.
MitM attacks are easy peasy. Most phishing kits and password-stealing malware programs now automate this type of MFA theft. You don’t have to be an uber hacker or spend weeks setting up a fake web site. You spend a few dollars and the software does it for you.
Here’s a few recent news stories talking about this exact attack:
领英推荐
·????????https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
·????????https://www.wired.com/story/hack-binance-cryptocurrency-exchange/
·????????https://www.bleepingcomputer.com/news/security/new-evilproxy-service-lets-all-hackers-use-advanced-phishing-tactics/
·????????https://www.scmagazineuk.com/2fa-stealing-android-malware-gives-enterprises-cause-concern/article/1681863
·????????https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born
There are plenty of other ways to easily phish different types of MFA, such as push-based MFA bombing (https://www.dhirubhai.net/pulse/you-use-push-based-mfa-did-do-roger-grimes).
My bare minimum bar for any MFA solution is that it shouldn’t be EASILY phishable. And to be clear, all MFA, even the best stuff, can be phished and hacked (https://www.dhirubhai.net/pulse/phishing-resistant-mfa-does-mean-un-phishable-roger-grimes). I’m just saying that if you pick an MFA solution it shouldn’t be EASILY phishable using the most common types of attacks (e.g., MitM attacks and push-based attacks). I’m really not asking a lot.
I’m asking for MFA solutions to be far more secure than the passwords they are replacing, because otherwise why go through all the effort and expense?
Cyber Security Specialist | CISSP, CISM, CCSK
1 年Roger that ? Here is where proper user training to be able to deal with MFA bombing comes into place. Having decent EDR and email protection capabilities is the other side of the protection coin IMO.
Implement Quantum Safe Security with Quantum Authentication to solve all these problems , you are welcome, contact us asap if you want to survive the hybrid attacks (Quantum + AI) that will break classical security measures and algorithms
Immersed in the computer industry since 1993, I’ve adapted to its evolution, including the rise of AI. Excited for the future of this dynamic field.
1 年Roger, what do you thing about "Apple passkey" ?
US Army CZTO
1 年The problem is that MFA is still a method of AAA more than it is security (by that I mean built to defend the user against adversaries use of MiTM, phasing emails, ransomware, malate, etc)? it's why it's a part of a security architecture as a key enabler, but organizations that lose track of what defense in depth means and out all of their ICAM in one basket eventually will be reminded the hard way...
You can never be hard enough.... MFAs are joke these days