Why use MFA?

A case for adoption

Multi factor authentication (MFA) can help remediate attacks that rely on compromise account passwords. The 2019 Verizon Data Breach report cites 80% of hacking-related breaches are still tied to passwords.

Account passwords can be compromised through several means, the most common are outline here.

Easily guessed passwords

Passwords based on a word, these can be broken through dictionary attacks, especially if there are personal to the victim and that relationship can be found publicly i.e. named after family pets, favourite sports teams or artists etc. which are mentioned on users social media and publicly accessible for the web.

Short passwords can be broken through brute force attacks, where attacks will try all possible combination of values to find a match for the password. Brute forcing can take place through distributed networks with the cloud using accounts paid for by stolen payment card details, they also use GPU either physical or virtual machines in the clouds as they can process 1000’s of attempts in parallel depending on the number of cores in the GPU with typically 1024 to over 4096 cores available per GPU and multiple GPUs can be used in a single machine. The time taken to brute force 8 characters using such machines is under an hour. 

Leaked in a breach of third party

Many people use the same password or variations of, on multiple systems (password reuse), if one of these systems is breached and it is often a 3rd party system that is breached, the password can be exposed. Many business accounts were exposed through password leaks at LinkedIn and Adobe and in many other breaches since. Lists of these are available on the public internet and the dark web and can be used by attackers. Sexploitation emails where the attacker uses details of credentials found in breached data to make phishing emails seem realistic are an example of the use of breached credentials by cyber criminals.

Stolen passwords

Social engineering victims into giving credentials to attackers by sending them phishing emails that if they follow the looks with take them to fake login portals that resemble corporate or vendor login portals and capture credentials as the victim enters to access documents, listen to voice mails etc. 

Attackers will, once they gain access to a network or a system attempt to steal credentials by retrieving passwords that are stored in files in plain text or in secure protected memory or by listening to them being transmitted on internal networks. If the passwords are in plain text it is game over as the attacker can use them straight away. If the passwords are protected by encryption, hashing with or without the use of salts the attackers will try and break the password using brute forcing and dictionary attackers.

What it provides

MFA works by providing a second or more secrets that an attacker must know before they can access an account. A password is a secret that can easily be stolen or found by an attacker to ensure that won’t provide easy access to a system or network additional secrets such as a code form an authenticator app on a phone or a number from a secure token generator (RSA secureID token) can be used. These additional secrets are often dynamically generated numbers that a valid for a short time only and are created by algorithms using a seed created when the token generator and the system are initially linked. Without knowing the seed and the time it was created it is virtual impossible to generate the dynamic secret in the time it is valid for.

The National Cyber Security Centre (NCSC) in the UK, the National Security Agency (NSA) in the USA, and the Cybersecurity and Infrastructure Security Agency (CISA) in the USA along with many vendors such as Microsoft, Adobe, Apple all recommend the use of MFA as a means of protected accounts and preventing fraud, identity theft and other cyber-criminal activities. The NCSC have published guidance on using MFA, how to set-up 2FA on accounts, how to secure Office 365 with MFA and on how to update password policies to include the use of MFA. In the last year it has produced alerts on how MFA can stop ransomware attacks, attacks on healthcare and other cyber-criminal activity. 

All these attacks reported in the last couple of years could of be stopped by the use of MFA and there are just a very small sample of reported attacks

• In April 2020, more than 500,000 Zoom account credentials were found for sale on the dark web, including credentials for business users at well-known organizations—even leading financial and educational institutions. Zoom itself was not breached but attackers tried a credential stuffing attack on them using credentials found listed in previous breaches from other companies and tried using the credentials to access Zoom, if they were successful the credential was added to the list they were selling. If the victims used MFA, the attackers would have not been able to successfully access Zoom as the attackers would not of had the second secret.
• In early 2019, a large IT outsourcing firm was hacked, but their systems may not have been the ultimate target. Because they are a trusted vendor to many other companies, the attackers used their ill-gained access to launch further attacks against the company’s customers. The initial system breach was the result of a successful phishing campaign against the company’s employees, which gave the hackers access to administrative credentials used to manage client accounts. From there, it’s believed the cybercriminals launched attacks against the company’s customers with the motive to access their customer names and systems to steal victims’ money through retail and financial gift card fraud. If the outsourcing company had used MFA, the attackers would have not been able to access systems even though they had successfully phished the company’s employees’ passwords.
• The hackers responsible for last year’s Twitter attack were able to breach Twitter’s backend systems by stealing credentials from within the social media platform’s private employee Slack channel. Once inside Twitter’s systems, the attackers were then free to take over at least 103 accounts and download the personal data of at least 8 accounts. If Twitter (and Slack) were using multi-factor authentication, the entire attack could have been foiled — saving Twitter and Slack their respective reputations, and Twitter’s users hundreds of thousands of dollars.
• Marriott International experienced another breach in 2020 when it was still recovering from the 2018 data breach that exposed approximately 339 million customer records. In January, a hacker used credentials of two employees at a Marriott property to collect data for a month before being discovered. The breach exposed personally identifiable information of 5.2 million customers, including contact information, personal details like gender and birthday, and loyalty account information. Again, if Marriott’s had deployed MFA the credentials, however obtained by the attacker, could not have been used to access Marriot International systems and 5.2 million customers details would have been safe.

MFA using an application on an employee’s corporate or even personal phone (virtual MFA or vMFA) is an easy way of providing a secure additional credential. The use of SMS messages or a phone call to a registered phone is not considered to be secure by NCSC, NSA, CISA or Microsoft due to the risk of sim swapping attacks. However, the dynamically generated codes from an installed application is far more resilient to such attacks. For most companies that are unlikely to be victim of a sim swap attack aimed at individuals due to their victim profile, the SMS or phone call can provide significant security improvements.

Business case

A successful breach of a company has considerable consequences and costs for the impacted company with costs both tangible and intangible around loss of customers, fines from ICO and regulatory bodies, class and group legal actions, loss of reputation, increased insurance and regulatory costs, possible even providing anti-fraud or identify theft cover. It is very likely that if a company is breached it is the result of a stolen or broken credential being used to gain access. 

To prevent the misuse of credentials by cyber criminals can be reduced considerable by the deployment of MFA which is increasing being supported by many vendors and is becoming easier and more transparent for the end users to use. The introduction of MFA can be a low-cost solution to credential misuse and prevent what can be very high costs incurred during a breach.

Summary

MFA is not a silver bullet to security woes, but is an important tool in strengthening authentication processes, it is also not infallible and highly skilled attackers with sufficient time, resources and determination are likely to get into your network. However MFA will deter those after the low hanging fruit of easy account credential compromise and when part of a layered approach to security and combined with proper access control based on true business need to know and the allocation of only those permissions and rights necessary to the job alongside regular review of access control rights it strengths the security profile of an organisation. Using it alongside monitoring and logging of access combined with other technical controls it will make the activities of a cyber attacker harder to complete and they will often move onto a softer target.