As security breaches involving employee credentials continue to rise, organizations need to take a hard look at their MFA practices. Tony Lauro, director of security strategy for Akamai Technologies looks at the efficacy of MFA and the best way to eliminate risk.
Working from home over the past year has been eye-opening to say the least. One of my last memories of the outside world was me sitting on a plane coming back from the RSA Conference in San Francisco after hearing a talk from two Microsoft employees about breaking password dependencies by advocating the use of multifactor authentication (MFA) and the FIDO2 authentication standard. Haven’t heard of FIDO2 before? Well, you’ve most likely used MFA at one point or another.Â
MFA for employee logins is hardly a new concept; it’s been around since the earliest days of the internet. The basic premise of MFA is to add an additional layer of security to workforce logins over and above usernames and passwords. The most recent Verizon’s Data Breach Investigations Report states that 80% Opens a new window of data breaches involved compromised employee credentials, so it would appear that deploying MFA would be a common practice. However, Microsoft recently said that only 11%Opens a new window of accounts they surveyed actually had MFA enabled. Let’s dive into why that might be.
There are some key challenges to tackle when looking at MFA technologies. In looking at the ISO 9241-11Opens a new window framework, usability is defined as â€œthe extent to which a product can be used by specified users to achieve specific goals with effectiveness, efficiency, and satisfaction in a specified context of useOpens a new window â€.Â
In the context of MFA, what this means is that when users interact with the MFA technology it has to meet minimum requirements for effectiveness, efficiency, and most of all from a user’s perspective, satisfaction. In the end, if a technology solution isn’t easy to use, adoption from the user community will be more difficult.Â
So that covers satisfaction, and now let’s look at the prior two requirements.Â
First, let’s look at effectiveness, which could be partially impacted by the satisfaction rating from the user’s perspective as well as from the administrator’s point of view, depending on how difficult or easy it is to implement the MFA solution. In the case of MFA technology, this really is an important factor. Some users coming into the modern workforce might view physical tokens or security keys as â€œoverkillâ€ and from an administrator’s perspective the cost and the hassle of replacing lost or stolen keys is certainly also a detractor, but let’s look at why having a physical key is so important.
Another way to quantify effectiveness is to ask the question â€œhow well does this MFA solution actually protect my employee accountsâ€? And if you’re curious how the attackers view your MFA solution, just go to Youtube and search for: MFA Bypass techniquesOpens a new window . Once a bypass is recorded to Youtube as a user-friendly attack tutorial, it’s probably time to re-evaluate your MFA solution. There’s even mention of such an attack as described in the FX documentary airing on Hulu called â€œThe Teenager Who Hacked Twitterâ€.Â
Essentially, the Hulu documentary highlighted a critical issue with how most standard push MFA solutions operate. If an attacker can trick an employee into submitting their credentials and request for MFA through a link to a malicious phishing portal that acts as a man-in-the-middle (MiTM), then the corporate user can be easily tricked into clicking â€œI acceptâ€ on their MFA application. However, instead of access being granted to the user, it is given to the attacker. To simplify that a bit, there is no cryptographic tie-in between the web browser that’s requesting the MFA authentication and the device that’s tapping the â€œallowâ€ MFA granted access.Â
All of this calls into question the idea of efficacy. How well does standard push MFA stand up with all of these bypass issues that have already been seen to occur in the wild? In comes physical security keys to save the day. Physical keys serve the purpose of tying the MFA challenge received by the user to the request for access that the same user made. So although this makes sense from a security perspective the first thing that jumps out is that security keys have a long history of issues.Â
Almost ten years ago RSA had to reissue security keys to aLL of their SecureID customersOpens a new window after a corporate breach and exposure of private key information was detected. Or to explore a more simple and probable option, which is to simply lose the security key altogether â€” which would require terminating access to the lost key, ordering a new one, and then going through the setup process all over again. During this time, you have users who cannot connect to corporate resources. Not a good outcome. Multiply this by however many corporate users you have and you can see why this could become costly, both from the tech support perspective as well as the cost to replace lost or stolen keys.
Because of these different risks and gaps in the current technology available to enterprises, the FIDO2 and WebAuthn standards have been developed to create a framework that allows a strong crypto-based authentication process that can be tied into a device we all already carry with us everywhere we go; our smartphones. Using a cryptographic tie-in between the phone itself and the user it belongs to, using a locally installed agent, and by extending that relationship to the web portal itself that requests the MFA authentication on behalf of the user, can provide a phish-proof MFA option for enterprises to adopt.Â
Leveraging an edge-based platform to develop this can effectively decrease the deployment and support complexity of trying to build this from scratch. With this strategy, corporate administrators can successfully remove the risk from traditional MFA bypass techniques that would otherwise cost a considerable amount of time and money to resolve as well as answering the three key questions that lead to the successful adoption of new technology.