For many years, multifactor authentication (MFA) has been key to mitigating password risk. But as MFA use has increased, cybercriminals have adapted their credential theft tactics.
In January 2022, the Office of the Management and Budget (OMB) issued a memo recommending that federal agencies move to passwordless MFA. And while this memo is only directed toward federal agencies, the US government is raising the cybersecurity baseline. It’s up to private-sector organizations to take notice.
One strategy that has emerged is zero trust. At least 76% of organizations have started implementing their zero-trust strategies, with MFA taking a prominent role. The National Institute of Standards and Technology recommends extending your MFA strategy to include assurance of device identity. This leads to more authentication confidence than what multiple user identity factors alone can provide.
Keep reading to learn how you can harden identity policies by extending your MFA strategy and leveraging existing security options.
Understanding MFA Limitations
Traditionally, strong passwords were the go-to strategy for reducing brute-force attacks. But most people can’t remember all of their complex passwords, so they end up recycling them across multiple accounts. The average person reuses their password 14 times, and they often use the same password across both personal and organizational accounts. This creates a blind spot in which organizational accounts can be compromised by phishing attacks on personal accounts — something that is completely outside of organizational email protection capabilities.
We’ve also seen an increase in man-in-the-middle (MiTM) phishing, SMS hijacking, and email hijacking attacks. MiTM phishing happens when adversaries exploit second factors with out-of-band authentication paths, such as app notification, email, or SMS. The user initiates a password authentication request that is intercepted by the adversary, who then creates a separate authentication request and accompanying out-of-band second factor prompt. Users often approve these prompts since they’re indistinguishable from their own.
In an SMS hijacking attack, the adversary redirects the SMS notification destination to their own device. This allows them to initiate an authentication request that can be approved without the knowledge of the user. Similarly, adversaries can use a compromised email mailbox to approve email-based second factors. Since email is also often used as a path for recovery of credentials to non-SSO services, a compromised mailbox can also lead to the compromise of a long chain of dependent services through third-party password resets.
Another possible blind spot is with phishing attacks that use illicit consent grants, as these can be harder to detect than traditional phishing attacks. In an illicit consent grant attack, the adversary tricks end users into granting a malicious application consent to access their data on their behalf, usually via an email with a link. This is challenging because the link destination itself is not malicious, only the application. After the malicious application has been granted consent, it uses application-level access to data without requiring the user’s credential.
Unfortunately, typical mitigation steps, such as requiring MFA or resetting passwords for breached user accounts, are not effective against these types of attacks. Because the attacks take place downstream of authentication using third-party applications external to the organization, adversaries can create their own external persistent access paths. So how do organizations address this challenge?
Implementing Phish-Resistant Authentication
Having stronger means of authentication and more modern options doesn’t mean organizations can roll them out overnight. In most cases, it makes sense to ensure MFA is used everywhere. For example, organizations can layer in conditional access policies requiring users to limit their activities to organizational devices, helping to mitigate external phishing scenarios.
Phish resistance is an important goal that should be combined with additional objectives to maximize authentication strength. We recommend organizations go passwordless by removing the user’s password as a factor. Provide authentication options with broad applicability covering desktop and mobile scenarios, and assess device identity and health status prior to authorization.
Zero-trust principles should also be used to define an implementation road map that addresses all points in the authentication chain with a layered defense. Take steps to harden the authentication infrastructure itself, apply identity protection to users, identify and monitor applications for illicit grants, and identify devices explicitly during authentication while continually monitoring them after authorization as they use access tokens. In doing so, organizations can better create modern, phish-resistant authentication strategies.