MFA Hardening: What is it and why do you need it?

Multi-Factor Authentication (MFA) is an important mechanism to secure your accounts and it drastically reduces your risk of hackers accessing your accounts. Even if they can determine your ID and password, that additional form of authentication – often via email or text message – keeps them at bay.

However, with the influx of remote and hybrid jobs since 2019 – largely due to the Covid-19 pandemic – organizations have been forced to adapt their cybersecurity measures to help user accounts across a greater attack surface stay secure. According to the U.S. Census Bureau, almost 28 million workers reported that they worked primarily from home in 2021. That is triple the number of remote workers reported in 2019!

This sudden shift of working outside of an organization’s security network has provided an increased number of endpoints which threat actors may utilize to gain unauthorized access to corporate accounts. It has also stretched IT department resources trying to keep up with the evolving tactics used in cyberattacks.

As opposed to on-prem security technology, such as using local servers, many companies found themselves switching quickly to cloud platforms with minimal preparation. Investing in and implementing cybersecurity has allowed for more secure access while working remotely, wherever that may be.

Unfortunately working remotely opens the opportunity for threat actors to target individual “weak links” in an organization’s system, which is the remote worker. The ability to authenticate a user has become pivotal in securing access, making sure that the person is who they are supposed to be. While MFA has become the standard over the past few years, like SMS and email authentication options, hackers are rapidly evolving attack techniques.

And as we’ve seen in recent cases such as the Cisco and Uber breaches, MFA doesn’t protect against breaches in all cases. Sometimes, the hacker can gain access to that additional form of authentication, or they can repeatedly request access until the authorized user – due to MFA fatigue – authorizes access via that additional form of authentication.

As a result, many organizations are adopting more phish-resistant MFA protocols to help secure user accounts.

 

 

Why is MFA so important?

Basic MFA functioning relies on One-Time Passwords (OTP). Software apps like Authy or Microsoft Authenticator have implemented cryptographic hashing functions such as Hash-based Message Authentication Code (HMAC) to generate OTPs, that usually are composed by a 6-digit number, computed with a timestamp and a secret key. In order to use MFA, three factors must be considered and two of the three are required. Those factors are:

1. Something you know. This method is based on the usage of a password or passphrase, a PIN or the answers to secret questions (challenge-response). It involves verification of something provided by the user.

2. Something you have. This can be a token device, a smartcard, an email, a cell phone number or a smartphone in combination with an OTP software app. It involves verification of an item that the user has in their possession.

3. Something you are. Like fingerprint, facial or voice recognition, retina or iris scan. This method involves verification of characteristics inherent to the individual.

 

Figure 1: MFA Factors (Source: Cipher)

 

 

MFA is so effective that Microsoft found that it can thwart 99.9% of attacks on your accounts. However, the average person reuses their password 14 times, often between both personal and business accounts, which can create blind spots where organizational accounts can be compromised by personal account phishing attacks. Compromised passwords make up the majority of hacking-related breaches, which is why the Office of Management and Budget (OMB) issued the recommendation that federal agencies move to passwordless MFA in a memo from January 2022.

 

 

Five Hardening Measures to Enhance MFA

With that in mind, here are five hardening measures that enhance the use of corporate MFA. The measures are based on currently best practices and recent forms of exploitation, employed by hackers today.

1. Disable MFA Default Configuration for Text Messages: SMS as MFA tends to be widely used because it is easy to configure and only requires a phone number to receive the OTP. This out-of-band authentication is considered the weakest form of MFA and companies like NIST and Microsoft consider it deprecated and have been increasingly advising to leave aside its usage. Changing the authentication process to physical tokens, biometrics or software based-app is highly recommended.

2. Disable Pop-Up Notifications to Avoid MFA Fatigue Attack (MFA Bypass): MFA Fatigue occurs as threat actors submit an overload of notifications a user receives during a day to perform logins or approve different actions. With the overwhelming volume of notifications, fatigued users try to dispatch whatever pop-ups are upsetting them and start putting security best practices aside. In sum, this type of MFA exploits the fatigue and human attention, so it is advised to disable pop-up notifications.

3. Block User Account After Several MFA Denials: App-based MFA is vulnerable to brute-force, phishing and malware running in the victim’s device. Whenever possible, every account should be configured to be blocked or to initiate a password recovering process after a certain number of MFA denials occur. Configuring a maximum number of MFA denials should be a necessary rule.

4. Block Access by Location: After gathering a pair of credentials from a data breach and bypassing the MFA using the MFA Fatigue attack, a threat actor would not have their location as an obstacle, however distant might be, to successfully compromise the victim’s account. Blocking accesses by location consistently reduces the authentications allowed which consequently reduces the attack’s surface. As a result, it is advised enabling authentication only for the countries known for daily work. Authentications from countries not recognized by the company as legitimate, should be blocked.

5. Configure Physical Token or Biometric Authentication: Physical tokens and biometric authentications use a phishing-resistant FIDO U2F protocol for MFA authentication. The U2F protocol guarantees that the user login is bound to the real site. In other words, the authentication will fail on a fake site even if the user is convinced it was real. In short, the origin binding mitigates most of the attack’s surface, including sophisticated phishing attacks. Phishing-resistant MFA is now considered the gold standard in the industry to protect cyber assets, followed by app-based MFA, and SMS or Voice MFA as shown below

 

Figure 2: MFA Hierarchy (Source: CISA)

 

 

With all cybersecurity protocols, the goal is to keep your company assets and employees safe. MFA is an effective mechanism to protecting access to your accounts, but it’s not a “Staples Easy button” to strong security and not all MFA approaches are the same.

Implementing phishing-resistant MFA takes time and can be difficult to deploy to all at once. However, identifying resources and high-value targets can allow IT departments to prioritize deployment and roll-out migration in phases.

Additionally, many organizations are adopting Zero-Trust principles in addition to hardening their MFA. Companies are moving away from email and SMS authentication – as they are vulnerable to phishing, interception, and brute-force attacks – as part of an overall security strategy that includes zero-trust and other security mechanisms.

 

 

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING