Over the past few months, we have seen an unprecedented number of impersonation attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide protection. adequate against identity theft attacks. The recent Uber breach is just one example, but we see many campaigns bypassing 2FA on various platforms.
For over a decade now, implementing 2FA/MFA has been considered the best solution for organizations to implement against account takeover attacks, whether they are based on phishing, brute force, password theft or any other fraudulent means of obtaining login credentials. And while industry experts have warned of the potential abuse of these mechanisms for years, little attention has been paid. Most knew 2FA attacks were possible, but thought they were too complicated to execute and didn’t really happen in the real world.
Over time, however, cases of successful attacks have become more common. What changed for this to happen? In a word: motivation.
When 2FA was only implemented by a small number of organizations, attackers did not see an urgent need to develop techniques and skills to circumvent it. They were just focusing on the rest of the world, those that hadn’t implemented 2FA properly yet. But over the past two years, we’ve seen a huge increase in 2FA adoption, which has motivated attackers to develop the technology to circumvent 2FA. Additionally, the increased shift to cloud and SaaS applications, combined with single sign-on, has made identity the new perimeter, making the potential gain from account takeover even higher than before.
It is important to note that while the industry frequently uses MFA and 2FA interchangeably, MFA is a general concept of multi-factor authentication, i.e. it uses multiple factors to authenticate a user. What most organizations have implemented is 2FA – the minimum viable implementation of MFA, using the existing username/password mechanism with an additional second factor, such as an OTP (password one-time pass), authenticator app push approval, or SMS-based tokens (similar to OTPs).
The problem with this type of second factor is that it is not necessarily stronger than a password; it’s only more timely. Passwords are a secret that offer decent protection against identity theft – if kept secret. Attacks such as phishing, brute force, or SQL injection on databases with passwords are all designed to do one thing: discover the password so it can be used by the attacker. One-Time Passwords are similar: if the attacker knows the one-time password, he can use it to authenticate. The protection it provides is therefore linked to the window of time during which it can be used: a normal password lives for weeks and months, but a one-time password is valid for seconds or minutes.
Similarly, an app push approval uses strong protocols to validate a one-time token, but an attacker using that validation in the correct time window will still be able to gain control of the account. For a few years, that seemed like a reasonable approach. Attackers would harvest passwords for a period of time, store them offline, and then use them later, rendering any potential tokens they stole obsolete.
But with time being the only limiting factor, as motivation grew, attackers developed the technology and practices to carry out these attacks in near real-time, allowing them to hijack accounts as they did before the implementation of 2FA.
The two most common techniques today for circumventing 2FA are Adversary in the Middle (AiTM) and MFA fatigue.
- AiMC is a technique used by attackers to perform phishing attacks through a proxy. Rather than harvesting passwords and trying to use them later, attackers proxy the user’s login attempt, including second factor authentication (whether an OTP push or MFA), and create a new session for the attacker, in real time, which is then used for future access. Since MFA sessions are valid for 14-30 days in most cases, this leaves the attacker with considerable time to use the hacked account. We’ve seen this in several campaigns, including implementing a new MFA authentication app to maintain persistence beyond the MFA session lifetime. It’s important to note that while this may seem more complicated, there are now at least three popular phishing kits (and one custom) that automate this process for attackers.
- MFA fatigue is a technique that can be used against MFA challenges via push notifications in your MFA authenticator app. In this scenario, the attacker can first obtain the username/password using a traditional approach (phishing, stealing the password database, etc.), before launching the attack MFA itself. The attacker then begins to attempt to log in with the stolen credentials. Each time the attacker does this, the user receives a push notification on their app asking them to verify authentication. For many users, this is seen as a glitch in the system, and they approve it immediately or approve it at some point when they get tired of the notifications and press No every time.
This means for our industry that the effectiveness of existing 2FA solutions is negated. It’s safe to assume that almost all phishing attacks will soon be powered by these new frameworks to circumvent 2FA, and we’ll be back to where we were a few years ago, with just a username and password. ineffectively trying to stand between attackers and our data and systems.
The solution is to adopt MFA more widely, moving to three-factor authentication (3FA) by adding an additional factor, but this time one that cannot be used by the attacker to authenticate from an alien device. This can be done by binding user authentication to a specific device or hardware token.
Hardware tokens supporting FIDO2 The protocols guarantee a signature on the device authentication that is tied to the specific host being used and the specific server being accessed, making it impossible for attackers to reuse it. But organizations don’t need to go out and buy a dedicated hardware device for it. A similar implementation of FIDO2 (or a similar approach) can be performed directly on user devices, effectively tying authentication to specific devices, making it impossible for an attacker to create a new session from a new device .
This feature is offered by the two largest identity providers, Microsoft 365 and Okta.
With Microsoft 365, Conditional Access (which is the primary way to handle 2FA/MFA) can be configured to allow logins from devices enrolled in InTune (Microsoft’s MDM) only. If configured correctly, this makes AiTM or MFA fatigue attacks redundant. Microsoft also offers integration with Microsoft Hello for secure FIDO2 logins (from Windows machines at this point).
Okta also offers similar functionality through integration with third-party MDM solutions (as well as hardware tokens).
There is, however, a caveat. Very few organizations have implemented these solutions to date, so they are still somewhat immature. We’ve seen organizations try to implement these solutions, and they’re facing significant overhead, user frustration, and many edge cases with no resolution to date. Hopefully, as the industry increases adoption of these 3FA solutions, vendors will allocate the necessary resources to perfect them, doing the default path and challenging attackers to come up with new techniques.
It is now clear that implementing third-factor hardware/device-based verification is the only way for organizations to protect against phishing and other account takeover attacks, and therefore …2FA is complete. Long live 3FA!