For a very long time, multi-factor authentication (MFA) – in the form of push notifications, authentication apps, or other secondary steps – was considered the answer to the growing cybersecurity problem.
But hackers are cunning and insidious, and they are continually coming up with recent ways to interrupt through the Ministry of Foreign Affairs stronghold.
Today’s enterprises need even stronger security – while experts say multi-party communications are still critical, they need to only be a small part of the authentication process.
“Traditional MFA methods such as SMS notifications and push notifications have proven to be vulnerable to a variety of attacks, making them almost as vulnerable as passwords themselves,” said Frank Dickson, vice chairman of the company’s security and trust group IDC. “The increasing prevalence of sophisticated threats requires a shift towards stronger authentication methods.”
Why is the Ministry of Foreign Affairs not enough?
The once proven practice of relying on passwords now seems quaint.
No matter what the string of numbers, letters, special characters, or digits contained, it became so easy to steal because users were careless, lazy, gullible, or overly trusting.
“Traditional passwords are simply shared secrets, little more advanced than a Roman sentinel asking for a secret password thousands of years ago (‘Halt, who goes there? What’s the password?’),” said Lou Steinberg, founder and managing partner at Insights into CTM.
According to Matt Caulfield, vice chairman of identity security product at the company Ciscotold VentureBeat: “As soon as they were stolen, it was game over.”
MFA became more popular in the mid-Nineties through 2000 as more businesses got here online and it gave the impression to be the solution to traditional passwords. However, with digital transformation, the move to the cloud, and the adoption of dozens or even a whole bunch of SaaS applications, enterprises are more vulnerable than ever. They now not hide safely behind firewalls and data centers. They lack control and transparency.
“MFA has been a game changer for a long time,” Caulfield said. “But over the last 5 years with recent identity attacks, we have discovered that MFA can be easily defeated.”
One of the biggest threats to the Ministry of Foreign Affairs is social engineering, i.e. more personalized psychological tactics. Because people engage so much online — through social media or LinkedIn — attackers have the freedom to research anyone in the world.
With increasingly sophisticated artificial intelligence tools, covert threat actors can create campaigns “on a massive scale,” Caulfield said. They will initially use phishing to achieve access to a user’s primary credentials, and then use AI-based actions to trick them into sharing their secondary credentials or take actions that allow attackers to achieve access to their account.
Or attackers will spam an additional MFA SMS or push notification method, causing “MFA fatigue” when the user finally gives in and presses “allow.” Criminals may also groom victims by making situations appear urgent or trick them into pondering they are receiving legitimate messages from IT helpdesk.
Meanwhile, in man-in-the-middle attacks, an attacker can intercept code during transmission between the user and the provider. Threat actors can even deploy login page mirroring tools, tricking users into entering each passwords and MFA codes.
Enter without password
The demise of MFA has led many enterprises to adopt passwordless methods reminiscent of keys, device fingerprinting, geolocation, or biometrics.
With keys, users are authenticated using cryptographic security “keys” stored on their computer or device, explained Derek Hanson, vice chairman of standards and alliances at the company Yubicowhich produces widely used YubiKey device.
Each party must provide proof of identity and indicate its intention to initiate authentication. Users can log in to apps and web sites using a biometric sensor (reminiscent of fingerprint or facial recognition), PIN, or pattern.
“Users don’t have to memorize or manually enter long sequences of characters that can be forgotten, stolen or intercepted,” Hanson said. This reduces the burden on users to make the right decisions and not hand over their credentials during a phishing attempt.
“Approaches such as device fingerprinting or geolocation can complement traditional MFA services,” explained Anders Aberg, director of passwordless solutions at the company Bitwarden. “These methods adapt security requirements based on user behavior and context – such as location, device or network – reducing friction while maintaining high security.”
Caulfield agreed that the tandem use of devices and biometrics is growing. During the first login and verification, the user shows his face along with proof of identity, e.g. a passport or driving license, and the system performs 3D mapping, which is a kind of “liveness check”. Once photo IDs are confirmed in government databases, the system will register the device and fingerprint or other biometric data.
“You have the device, your face and your fingerprint,” Caulfield said. “Device trust is much more widespread as the recent gold standard against phishing and AI-based phishing attacks. I call it the second wave of the MFA. The first wave was a silver bullet until it wasn’t.
However, these methods are also not completely foolproof. Hackers can bypass biometric tools by using deepfakes or simply stealing a photo of a real user.
“Biometric data is stronger than passwords, but once compromised it cannot be changed,” Steinberg said. “You can change your password if you need to, but have you ever tried changing your fingerprint?”
Using analytics and creating fail-safety
Caulfield identified that organizations use analytical tools and collect mountains of data, but do not use it to enhance their cybersecurity.
“These tools generate a lot of telemetry,” Caulfield said, reminiscent of who is logging in, from where, and on what device. But then they “send it all to a black hole.”
Advanced analytics may also help detect and analyze identity threats, even if it’s intended to offer a “break or failsafe” when attackers bypass the MFA service, he said.
Ultimately, firms have to have a foolproof strategy, agreed Ameesh Divatia, co-founder and CEO of the data protection company Partition. Personally Identifiable Information (PII) and other confidential data have to be cryptographically protected (masked, tokenized, or encrypted).
“Even if a data breach occurs, cryptographically protected data will be useless to the attacker,” Divatia said. In fact, GDPR and other data protection laws do not require firms to notify interested parties when cryptographically protected data is leaked because the data itself is still secure, he noted.
“Failsafe simply means that when one or more cybersecurity protections fail, your data will still be safe,” Divatia said.
There’s a reason it’s called “multifactorial”
However, this does not mean that the Ministry of Foreign Affairs will completely disappear.
“Overall, the authentication hierarchy starts with MFA because poor MFA is still better than no MFA, and that cannot be overlooked,” Dickson said.
As Caulfield noted, it’s called multi-factor authentication for a reason – “multi-factor” can mean anything. Ultimately, it might be a combination of passwords, push notifications, fingerprint scans, physical possession of the device, biometrics or hardware, and RSA tokens (and whatever else evolves).
“The MFA is here to stay, the only definition now is, ‘How good is your MFA’? Is it basic, mature or optimized?” – he said. Finally, nonetheless, he emphasized: “There will never be a single factor that by itself is completely safe.”