MFA (Multi-Factor Authentication) is a useful tool for security, and if implemented correctly, it can help to improve authentication and decrease risk. But I think it’s about time we talk about some of the ways that MFA is inherently broken.
MFA Overview and History
The primary purpose of multi-factor authentication is to ensure that the person entering their username and password is the rightful owner of the account. This is crucial because passwords can be stolen, people can be tricked by phishing sites or social engineering, and credentials can be leaked.
The earliest forms of multi-factor authentication involved using a physical token device, like a card or key fob, to generate an additional code after entering your username and password. This was meant to prevent unauthorized access by those who did not have access to the physical device. Then, we moved on to soft tokens on phones or receiving codes via text messages. But even these methods have their limitations.
The Era of Frequently Changing Passwords (Running from the Bear)
We’re also living in the era of regularly changing passwords in order to protect accounts. This process was initially implemented in an attempt to stay ahead of attackers who may have obtained the username and password but hadn’t had a chance to use them yet. The concept of a 900-day password rotation was under the understanding that that would be the longest a bad actor would have your account credentials. This approach is far from foolproof.
The whole concept of frequently changing passwords is flawed. It’s like trying to outrun a bear – you just need to be faster than the slowest person. There are countless passwords out there that attackers can try, and you’re just hoping they don’t get to yours before you change it. It’s an unreliable system.
The traditional username-password-MFA process is definitely better than NOT utilizing multi-factor authentication, but it falls behind the evolving threats in cybersecurity. So, let’s delve into the flaws of the current MFA system and explore how we can do better.
Where MFA Fails Us
There are multiple ways that attackers can bypass multi-factor authentication, including social engineering, phishing, hijacking web sessions, or cloning phone numbers on different devices. I’m sure you’ve read about the recent MGM breach in the news. The breach occurred as a result of socially engineered admin credentials. As helpful as multi-factor authentication may be, there’s a risk in assuming that we can lower our other defenses if we’ve implemented those security methods.
With the prevalence of MFA now being required across multiple accounts, it can become a type of white noise or familiar annoyance that we fast-forward through as users. This creates a vulnerability known as MFA fatigue, which attackers can exploit.
You’ve probably experienced MFA fatigue yourself, whether receiving a code while trying to troubleshoot technical issues or being interrupted while working on an important project. We often don’t stop and take the time to ensure the authentication method is valid, especially when SO many accounts require various forms and steps for multi-factor authentication.
I’ve personally had a scary experience myself when someone cleverly switched my phone number to their own device through tricks with my phone carrier. Luckily, I caught it quickly, but it’s a stark reminder that even having a secure phone isn’t foolproof.
The Biggest Reason MFA is Broken
Here’s the most critical way that MFA fails us – when you successfully get to a step where MFA is required, it confirms that your username and password are valid. This gives attackers the ability to identify which credentials are valid and potentially target you further. Let’s think about that for a moment. The attacker could have gotten massive amounts of credentials from a dark web dealer, and then used automated methods to throw multiple sets of credentials at different sites.
Initially, they might not know which of the credentials they’ve purchased are still valid. While they may not have access to your multi-factor authentication method (i.e., your phone, authenticator app, biometrics), if they get an indication that your username and password have gotten to that MFA step… BOOM, they now know that the credentials are valid.
And it doesn’t end there. If you reuse passwords across multiple accounts, attackers can use the validated credentials on other systems where MFA isn’t enabled. We all know that we shouldn’t reuse passwords and that we should turn MFA on for all accounts that allow it, but the reality is that most users don’t consistently follow those best practices.
How Banyan Security Can Help
When I speak about MFA at conferences (or with my family at Thanksgiving, lol), there’s always a big “Aha!” moment when they realize the point about multi-factor authentication allowing an attacker to know which credentials are valid. It’s a scary thought, and while I don’t want anyone to be fearful, it’s important to be aware of what’s involved when using these methods and how they can potentially be exploited.
But here’s the exciting part. With Banyan Security, you get the benefit of our device certificate, which is a pre-authentication MFA. It’s a game-changer in terms of security.
If someone gets a user’s valid credentials, including MFA, they can do damage to your systems and/or steal sensitive information. Luckily, with our setup (our team uses Banyan Security in front of Okta), using my credentials to access Okta is not possible without physical possession of my device, my laptop.
Now, I bet you’re curious if we still use multi-factor authentication for Okta (especially since the title of this blog is “MFA is Broken”). The answer is yes! We use MFA after authentication. But here’s the deal: you wouldn’t even get to the point of MFA if you didn’t physically have our device. My laptop and phone act as pre-authentication MFA devices.
It’s all about finding that balance between security and usability. We make the process as smooth and seamless as possible. All while increasing security without adding additional burdens on your users. I host a live demo of the Banyan Security platform each week, so if you’d like to see a specific use case in action, or if you want to chat about MFA and zero-trust architectures, drop in and say hello: https://info.banyansecurity.io/weekly-live-demo-2
