MULTI FACTOR AUTHENTICATION – MFA
Authentication (in computer systems) is the process of validating that an actor (such as a user) within a system is who they claim to be. Traditionally, authentication has been performed through the submission of a username and password, but it has been clear for a long time that this is not adequate to provide strong authentication. Strong authentication is also important to ensure non-repudiation is possible, that is that a user cannot successfully dispute that they performed an action.
THE PROBLEM WITH USERNAMES AND PASSWORDS
Username and password authentication is the most used authentication method in use. It relies on a user providing a secret to prove they are the user they claim to be. If the password remains secret then only the user who knows the password can authenticate themselves.
However, unfortunately this does not always hold true.
Users frequently share passwords between applications. Whilst some users are diligent and utilise tools such as password mangers, evidence has shown that most do not. This means that if their password is compromised in one application an attacker may use this password on other sites to gain access to the user’s account. Compromised credentials found this way are often used within attacks known as “Credential stuffing”, where huge lists of credentials are tried against target sites.
Users have a habit of sharing their password with other users, especially if the other user is helping them solve an issue they are having. Once a password has been shared it is no longer secret and should be considered compromised.
Users are typically lazy, as there is a cognitive load of having to remember many passwords. Those not using a password manager are therefore likely to pick easy to remember passwords and are as such vulnerable to password spraying attacks where malicious actors try common weak passwords against every user in an environment hoping at least one user has (re)used it.
If usernames and passwords alone are not good enough, then what else can be used?
These other “things” are known as factors, and they are broken down into the following categories:
Something you know;
Something you are;
Something you have;
Somewhere you are.
If we take two or more of these factors into account as an additional authentication 'factor', we can have a much stronger assertion that a user is who they claim to be.
SOMETHING YOU KNOW
Something you know (also known as the 'knowledge factor') is the most common factor in use, and is typically implemented as a password, but other variation on this such as a PIN (personal identification number), or passphrases (passwords in the form of a sentence) also exist. We have already discussed the weaknesses of using passwords alone but a strong secret should be unique and hard to guess but is also typically expected to be memorised.
SOMETHING YOU ARE
Something you are factors (also known as 'inherent factors') those attributes directly and normally uniquely associated with the user. Typically, this will be a factor such as biometrics: fingerprints being a common example. The advantage of something you are factors is that the user will always have their factor with them. The key disadvantages are the need for specialised hardware to read the biometrics, and that if compromised there is no way to change the factor. Other common factors in this class include iris fingerprinting and face recognition as found on common smart devices.
SOMETHING YOU HAVE
Something you have (also known as a 'possession factor') is the most common additional factor currently in use, especially when authenticating to online systems. It utilises a physical asset to prove who you are. This can be likened to a lock and key where the key is the factor that proves you have the right to access a resource. Push-based authentication such as SMS or other authenticator applications would also fall under this, as they aim to prove you have access to a device such as a smart phone. These however have had issues over the years, especially SMS based tokens, and as such are best avoided.
SOMEWHERE YOU ARE
The least used of the factors, but steadily becoming more common, is the 'somewhere you are factor' (also known as the 'location factor'). Examples of somewhere a user might be is when a user is connected to a specific, trusted and known network or has performed a recent action that can be tied to a specific geographic location. We are seeing this factor often being considered in authentication schemes to increase/decrease the controls in place, for example requiring users in certain countries to undertake additional checks.
In practice most systems deploy multi factor authentication (also known as '2FA' or 'MFA'), where a user must present their password and one other factor (usually a “something you have” factor). We have outlined the most common implementations below.
TIME-BASED ONE TIME PASSWORD - TOTP
TOTP codes are one of the most popular methods of implementing a second factor. This is because only an accurate clock needs to be kept synchronising the tokens and no direct communication between the token and authenticating server is needed. Multiple solutions exist for time based one-time passwords, but the TOTP protocol has become the de facto standard with many implementations of both generators and validators existing.
FIDO2 / U2F
This system uses physical tokens (typically USB based) that are required to present and activated each time a user needs to authenticate. These tokens have a significant advantage over TOTP in that they validate the requesting domain to help prevent 'man in the middle attacks' and 'impersonation attacks'. Deployment of these tokens has been curtailed by the cost of the tokens, and historically weak support in browsers, however these issues are becoming less as the price of tokens as decreased and browser support has improved.
SIDE CHANNEL (SMS/EMAIL/PUSH NOTIFICATION)
This approach works to prove you have access to a device by sending a message over a side channel that is outside the communication system used by the system that is being authenticated to. Whist these systems are better than using no additional factors their use for sensitive systems is not recommended as realistic attacks against these systems, such as phone SIM swapping, and MFA 'bombing' have been shown to be effective at subverting them.
Fingerprint based authentication has become popular on mobile devices due to the commonplace availability of hardware to perform this action on smart devices. A fingerprint can be seen as provided security at two factor levels as it is registered with a device as so proves both something you have and something you are, when implemented correctly.
Organizations who do not fully implement MFA on their web-accessible systems have been proven to provide CovertSwarm's ethical hackers with one of the most common routes to us breaching their security, exactly as a genuine bad actor would. We strongly recommend the adoption of MFA wherever possible in your own technology estate.
We hope this article has helped you better understand MFA and the options available if you are not yet protecting your systems with MFA. If you would like further help understanding the options available to you, or to review your existing MFA solution, then please reach out and the team here at CovertSwarm will be more than happy to help.
Look out for our next, follow-up, post on how malicious actors work to breach MFA, so you have the knowledge to increase the security of your accounts and applications.
The team at CovertSwarm is driven by a single objective – To constantly compromise the security of our clients through the deep detection of blind spots within their cyber defences and technology stacks before real threat actors are able to exploit them.
Our continuous client-focused cyber intelligence gathering, simulated attack, clear vulnerability reporting, live ethical hacker interaction capability and follow-up education services challenge the status quo of a cyber market in desperate need of modernisation.
Organisations seeking higher degrees of cyber assurance and security confidence than those offered by ‘snapshot’ penetration testing and red team engagements are increasingly partnering with us. They agree that ‘point in time’ testing is no longer enough to secure their organisations, and it is through this shared ethos that CovertSwarm challenges everything that has so far been considered to be ‘standard’ in today’s cyber vendor market.