The evolution of the cybersecurity market has been to a great extent driven by the “arms race” between attackers and security professionals. Each iterative advance by one group has typically been met by a counter-response from the other that attempts to circumvent or neutralize the advances, and so on. Rinse and repeat. A similar cat-and-mouse dance has taken place with respect to user authentication and access controls.
For much of the history of modern computing, usernames and passwords have been — and remain — nearly omnipresent in the enterprise, even among those that have adopted stronger forms of authentication. One of the earliest efforts at thwarting passwords was the brute-force attack, and the inevitable — if not predictable — industry response was the shift to password rotation, as well as requirements for longer and more complex passwords that were harder to guess or crack. This response, however, added complexity and led to a painful user experience, for both admins and users. More to the point, the industry seems to have figured out that longer and more complex passwords and frequent rotation aren’t particularly effective at preventing credential abuse and attacks, so much so that the National Institute of Standards and Technology has recently stopped recommending the practice as part of its policy framework.
Once brute-forcing (and more complex passwords) reached the limit of its usefulness, the next phase was for attackers to “trick the human” by adopting phishing attacks or social engineering as a means to obtain valuable login credentials. And once again, the cybersecurity industry upped the ante, this time by adding more factors rather than more significant digits, including the use of SMS codes, one-time passwords (OTPs) or emails as an additional factor in two-factor authentication (2FA) and/or multi-factor authentication (MFA) schemes. Again, this led to an initial improvement in security, but also placed more of a burden on users and admins in terms of convenience, complexity, and overall user experience.
It’s no wonder, then, that passwords are still so commonplace in security, despite the fact that people have known of their many shortcomings for decades – the issue is that most MFA technologies have their own challenges, too, and it’s not always clear that the cure isn’t worse than the disease.
One of the more recent responses by the security industry has been “phishing-resistant” MFA. What does this mean? Phishing and its many variants – spear phishing, vishing, etc. – essentially try to trick users into clicking on a bad link or providing their login credentials. While many firms have tried to defeat phishing attacks by using MFA, not all forms of MFA are fully resistant to phishing attacks. Many types of authentication rely on some form of “shared secret” – such as a password, PIN, or one-time-password – that needs to be exchanged between users and the services they are attempting to access. However, shared secrets, regardless of form, are vulnerable to being intercepted at some point, potentially by a man-in-the-middle attack or other means.
Phishing-resistant MFA generally eliminates shared secrets, commonly by using a FIDO-based method or other approach that leverages public key cryptography and digital certificates. In such scenarios, users authenticate via a pair of public and private keys that are securely exchanged via asymmetric encryption without the risk of being intercepted. The added benefit of such an approach is that, done correctly, it potentially provides a more streamlined user experience as well as greater security — the “holy grail” of authentication.
However, as much as phishing-resistant MFA is a big step forward, it is limited to only verifying the user – it tells us nothing about the device that user may be attempting to log in with. By uniquely identifying the user’s device, the security bar can be raised significantly. Not only must users be authenticated, but so must the devices they are using. An attacker may have stolen a user’s credentials, but that person likely doesn’t also have physical possession of the device. Additionally, it’s important to understand the security posture of the device: Has it been rooted or jailbroken? Are patches up to date? Does it have malware on it, and is it a company-managed device or a personal device? Is there a way to separate personal from company data? And is company data encrypted? Those sorts of things are all important to know, and MFA alone can’t help there.
MFA also doesn’t help much if a user accidentally clicks on a bad link and inadvertently winds up at a bad website. For that reason, the organizations need industry to provide a solution that offers both device trust and URL filtering that can reduce the amount of damage that can happen when human beings are tricked into clicking on something or going somewhere they shouldn’t. This allows for better security AND better user experience, and it also lowers support costs/burdens.
Garrett Bekker III
Principal Research Analyst, Information Security at 451 Research, part of S&P Global Market Intelligence
@gabekker
