Interpersonal Multi-Factor Authentication (IMFA)

The cyber threat landscape evolves every single day, resembling a relentless cat-and-mouse game between attackers and defenders. With the increased usage of AI/ML enabling highly sophisticated attacks, the security of data, people, and resources is threatened. In response to this issue, I've devised a concept called Interpersonal Multi-Factor Authentication (IMFA) or Person to Person Authentication (P2P-A).

Two-Factor Authentication (2FA), a subset of Multi-factor Authentication (MFA) which is commonly used as a means to authenticate into a application helps to prevent various attacks that pose a threat application security. However, highly sophisticated social engineering attacks are emerging that exploit human vulnerabilities. To counter these threats, IMFA/P2P-A adds an additional layer of security through direct person-to-person verification, ensuring a robust defense against evolving cyber threats.

Objective: Implement MFA for accessing resources within different teams by requiring a person-to-person authentication step.

Setup and Requirements

Teams and Departments:

• Each team/department has a unique keyword or number.
• The list of keywords/numbers is confidential and only shared within the respective team.
• The entire company has one keyword that remains confidential and is used when highly uncertain

Scenarios:

• Person from Team A needs access to resources in Team B.
• Person from Team A must communicate with a member of Team B to get the keyword/number.

Implementation Steps

Step 1: Define Keywords/Numbers

• Assign a unique keyword or number to each team/department.
• Ensure these keywords/numbers are periodically changed.

Step 2: Secure Communication Channel

Establish a secure communication channel for team members to verify identity (e.g., a secure chat app, encrypted email, or in-person verification).

Step 3: Access Request Process

• Person from Team A requests access to Team B's resources.
• Team B member verifies the identity of the requester (could be through a call, in-person meeting, or secure message).

Step 4: MFA Verification

• Once verified, Team B member shares the keyword/number with the requester.
• Requester uses this keyword/number to access the required resources.

Example Scenario:

1. Define Keywords/Numbers:

• Team A: Keyword = "DePA123"
• Team B: Keyword = "DataStr!Ke768"

2. Request Access:

• Alice from Team A needs access to a critical document in Team B.
• Alice sends a secure message to Bob from Team B requesting access.

3. Verification:

• Bob verifies Alice's identity (e.g., through a video call or in-person meeting).

4. Share Keyword/Number:

• Once verified, Bob shares Team B's keyword "DataStr!Ke768" with Alice.

5. Access Resource:

• Alice uses the keyword "DataStr!Ke768" to gain access to Team B's document.

Special Scenario (Company-wide Keyword)

The following is a prompt engineered scenario results contained from chatgpt:

Sample Scenario: Deepfake Attack and the Use of Company Keyword

Background:

The company, TechSecure, has implemented Interpersonal Multi-Factor Authentication (IMFA) with unique keywords for each department. Additionally, there is one company-wide keyword that is kept highly confidential and is used in situations where verification is highly uncertain or involves highly sensitive information.

Departments and Keywords:

• Team A (Development): Keyword = "Dev123"
• Team B (Operations): Keyword = "Ops456"
• Team C (HR): Keyword = "HR789"
• Company-Wide Keyword: Keyword = "SecureKey999"

Scenario: Deepfake Attack during a Crisis

Situation:

An intruder has managed to access a critical video conference meeting using deepfake technology to impersonate the CEO, Alex. The intruder’s goal is to gain access to sensitive resources from the Development team.

Steps:

1. Initiate the Meeting:

• The Operations team detects an unusual spike in server activity and convenes an emergency video conference involving key team members from Operations and Development.
• During the meeting, "Alex" (actually the intruder using deepfake) insists that immediate access to a sensitive development resource is necessary to mitigate a supposed breach.

2. Request Verification:

• Sam from the Operations team feels something is off and decides to follow protocol by initiating the IMFA process.
• Sam asks "Alex" to provide the company-wide keyword "SecureKey999" for verification due to the critical nature of the request.

3. Deepfake Detection and Response:

• As part of their enhanced security protocols, the real CEO, Alex, has established a secondary out-of-band verification method. This includes an encrypted secure chat app that sends a one-time code to both the requester and verifier.
• Sam uses the secure chat app to request verification. The real Alex receives the one-time code and realizes an intruder is impersonating him.

4. Confirm Identity:

• The real Alex quickly alerts the security team through a pre-arranged emergency contact method, separate from the compromised communication channel.
• The security team immediately initiates countermeasures to isolate and identify the intruder, and Sam is instructed to disconnect the imposter from the meeting.

5. Share Company-Wide Keyword:

• After ensuring the imposter is removed, the real Alex re-joins the meeting through a secure, verified connection and provides the one-time code and company-wide keyword "SecureKey999" to Sam.

6. Access System:

• Sam uses the confirmed keyword "SecureKey999" to access the sensitive development resource and mitigate the potential breach identified by the Operations team.

7. Post-Incident Review:

• Following the incident, a comprehensive review is conducted involving all teams to analyze the deepfake attack, evaluate the response, enhance security protocols, and implement new company keyword.

Conclusion

This scenario highlights the importance of having robust multi-factor authentication methods, including out-of-band verification, to counter sophisticated threats like deepfakes. It also emphasizes the need for a high-trust emergency protocol to ensure that even senior executives' identities can be verified securely.

Documentation and Training

Create Guidelines:

• Document the process and guidelines for both requesters and verifiers.
• Include steps for secure communication and identity verification.

Training:

• Conduct training sessions for all team members to familiarize them with the new MFA process.

Testing and Feedback

Pilot Testing:

• Implement the PoC in a controlled environment with selected teams.
• Gather feedback and refine the process based on user experiences.

Rollout and Monitor

Full Rollout:

• Once the PoC is successful, implement IMFA to all teams.
• Regularly monitor the process and make necessary adjustments.

Tools and Technologies

Secure Communication Tools:

• Encrypted messaging apps (e.g., Signal, WhatsApp)
• Secure email services (e.g., ProtonMail)
• Video conferencing tools with end-to-end encryption

Access Control Systems:

• Implement the keyword/number verification in your existing access control systems or integrate with critrical tools.

By following these steps, you can create a robust proof of concept for in-person multi-factor authentication between teams, enhancing security and ensuring proper access control within your organization.