- Security TWENTY
- Women in Security Awards
Relying on Multi-Factor Authentication is a dangerous tactic, says Julia O’Toole, CEO of MyCena Security Solutions.
The Cybersecurity and Infrastructure Security Agency (CISA) and FBI Cyber Division recently released a joint Cybersecurity Advisory (CSA) warning organisations that Russian state-sponsored cyber actors have gained network access through the exploitation of default multi-factor authentication (MFA) protocols, a known vulnerability.
Since the Russia-Ukraine conflict started, we have seen hacking groups like Conti, Anonymous or the IT army of Ukraine pledging support for either side. Insurance carriers were quick to reclassify such cyberattacks as acts of war, triggering changes in insurance exemptions to reflect the rising risks of “spillover damages” outside the conflict zone. As ransomware now comprises 75 per cent of cyber insurance claims, more gangs announced that they are acting independently of the Russian Federation or Ukraine, in the hope insurance companies will keep funding the ransoms.
Alongside this, new entrants such as the Lapsus$ group are using low-tech methods to get employees credentials and advertising their access to victims through Telegram, companies face increased risks, impact and frequency of cyberattacks. The situation is pushing more companies to change their cyber-strategy. Rather than spending hundreds of thousands on insurance policies that may not pay out in case of ransomware or business interruption, companies find themselves better off investing improving their cyber-defences to prevent attacks in the first place.
MFA doesn’t stop password phishing or fraud
Many organisations have used MFA to prevent hackers from accessing their network. But relying solely on MFA is not enough. MFA means multi-factor authentication, which means involving a second, third, fourth factor of authentication.
After users enter their first factor which usually is a password, they receive a token sent to one of their devices, which they then have to click to accept, or “copy and paste” to validate the authentication. But this only works when you can rely on the first factor.
The problem is that first factor is actually compromised from inception. In the physical world, when employees start a job, the company hands over the keys, cards and fobs to access their building, lifts and rooms. When they leave, the company takes them back. But in the digital world, companies applied the reverse. Employees are asked to make their own keys (passwords) to access the company network and infrastructure.
In doing so, companies effectively hand over their access control to their employees and expose themselves to human liabilities such as passwords phishing, loss, theft, reuse, unauthorised sharing, fraud. After losing access control in the first place, companies should consider all their passwords compromised by default, which means MFA can no longer guarantee legitimate access. What MFA provides here is a false sense of security.
In the absence of access control, examples of MFA exploits are abundant. As early as May 2021, Russian state-sponsored cyber actors gained access to a non-governmental organisation via exploiting default MFA protocols to control their network.
As well as this, the hacking group Lapsus$ were able to breach Okta, by simply sending repeated MFA approval requests to the phone of employees at third-party support provider Sitel in the early hours of the morning, until they begrudgingly approve the request in a bid to return to sleep.
Not only is relying on MFA without access control dangerous, it is even riskier when combined with the user single access like SSO, IAM or PAM. The recent breaches by Lapsus$ have exposed the problematic approach of centralising all data behind a single door.
In a single breach in mid-February, Lapsus$ stole 1 terabyte of data from Nvidia, including the usernames and passwords of more than 71,000 Nvidia employees. More recently, the Okta breach impacted client organisations relying on Okta to authenticate access after Lapsus$ found an Excel document titled DomAdmins-LastPass.xlsx in Sitel’s environment.
The possibility of losing it all in such scenarios is a nightmare for any organisation, exposes the limitations of centralised access and makes the idea of unique user control redundant once a system is compromised.
Stop confusing identification and authentication
To genuinely build cyber-resilience, companies need to come back to lessons learned in the physical world and stop confusing identity and access. The distinction is clear in the physical world. You show your ID to someone when you cross a border, withdraw a large sum from a bank, or sit an exam to prove your identity – this is called identification. But when you go home or to the office, the door doesn’t recognise you and open for you; if you have the key, you have access – this is called authentication.
Just as no one needs to hammer a key when they want to open a door, there is no need to remember and type passwords. People just need to have the right key and use it. Just as no one uses a single key that can open their house, their car, their office, every system should have a different password that they don’t need to know or remember. To effectively take back control of their own access, companies just need to apply those principles.
In practice, segmenting all systems access and distributing encrypted passwords to their employees would remove the potential for human fault entirely from the equation, as no one creates, sees, or types a password. Fixing the cause of the problem of access management would not only help companies regain command and control of their access and data, it would also save countless hours training employees on passwords policies that don’t work.
While investing in multi-factor authentication (MFA) makes sense when companies control and segment their access, alone it certainly can’t protect a network. To protect their business, companies should urgently focus on integrating the entire process of password creation, distribution, use and expiry into their management process, the way they do in the physical world, without changing infrastructure. This would mechanically boost their cyber-defence and prevent hefty ransom payments.