The password is hanging on by a thread. It was a simple password reset request to a service desk that led to the major ransomware attack on MGM in 2023. The casino giant stated that it expected to lose $100 million as a result of the breach. Its well-documented tendency to be bypassed by hackers has led Google to announce that its apps will now be “passwordless by default”, writes James Smith, Head of Offensive Security at the cyber consultancy Bridewell.
Multi-factor authentication (MFA) has emerged as the viable alternative to reduce the volume of successful data breaches. However, its implementation comes with a set of considerations that businesses need to keep in mind as they consign passwords to the history books.
MFA fatigue
MFA is so effective because it requires users to present two or more pieces of evidence to gain access. Businesses in numerous sectors are incorporating the technology to enhance their cyber security posture. But bad actors aren’t standing still in devising ways to circumvent new security layers. MFA fatigue is a type of social engineering whereby an adversary, via automated or manual methods, manages to inundate a user with MFA prompts until they approve the sign-in request.
The psychology behind an MFA fatigue attack is fairly straightforward. If faced with hundreds of notifications to approve logins, users are likely to believe that this is a re-authentication request for a current session, or simply an accident, and will approve it. Bad actors can then access the account. It’s often the case that adversaries pretend to be a member of an organisation’s IT or tech support team, making users believe that there is nothing untoward when contacted.
Wider tactics used
MFA fatigue isn’t the sole way that an attacker can work around cyber defences. While other methods do take considerable time and effort to execute, the most sophisticated criminals could initiate SIM-swapping or man-in-the-middle proxying.
Through social engineering, bad actors can steal a user’s phone number and intercept texts, such as two-factor authentication codes, to hack into their accounts. In the US, the CISA last year called for improved SIM swapping protections and a move to a password-free future due to the attacks by LapSus$ on major companies such as Nvidia, Samsung, Ubisoft, T-Mobile, Uber and Microsoft. Man-in-the-middle proxying attacks involve proxy websites, which look like the real thing, used to gather sign-in credentials from unaware users.
Shoring up new MFA deployments
As passwords fade away into obscurity, organisations must take action to protect MFA deployments. Phishing resistant MFA, which includes methods such as ‘number matching’, adds an additional step within the MFA push notification workflow. A number is presented on the login screen, which must be entered by the user when approving the MFA prompt. More defined thresholds within monitoring tools can also be set to block excessive and suspicious MFA prompts.
Monitoring for user credential leaks, impossible travel and any sign-ins from unfamiliar locations, suspicious IPs or unapproved devices is also essential. Organisations may look to hardware security keys or alternative secure methods to avoid the risk posed by push notifications, but this does bring about concerns in terms of inconvenience to the user and associated costs.
Supporting technologies
A sufficiently protected MFA is highly effective, but not an approach that can be applied to a major enterprise overnight. It’s also unlikely to work in conjunction with operational technology that is 20 or 30 years old and will probably remain in use for the foreseeable future. To ensure effective protection against the latest techniques that cyber criminals are devising, detection and response strategies, supported by a Security Operations Centre (SOC), are a necessity.
Human-driven processes, such as Extended Detection and Response (XDR), focus on the root cause of security vulnerabilities, avoiding any superficial fixes and ensuring long-term resilience. Making use of a modern SOC can also help organisations to respond rapidly to any changes and emerging threats.
A step towards a more secure future
As the traditional password’s reliability wanes, the shift to passwordless systems and MFA represents a significant step forward in cybersecurity. However, the journey to robust MFA implementation is fraught with challenges, including the risk of MFA fatigue and other sophisticated evasion tactics employed by cybercriminals.
Vigilance is needed to fortify MFA frameworks, such as adopting phishing-resistant measures, enhancing monitoring protocols and considering additional secure alternatives like hardware security keys. Crucially, however, MFA is part of a broader cybersecurity ecosystem that requires a blend of advanced technology, vigilant monitoring and human-driven processes to adapt to the evolving landscape of threats.
