No matter the size or area of business, all organizations must have a proper cybersecurity strategy in place to protect their infrastructure and data from growing cyber-attacks, which include ransomware, data breaches, and malware threats. Preventing phishing attacks is crucial as they exploit human error, compromising sensitive data and causing financial and reputational damage to organizations.
One of the pillars, called user identity, prefers a continuous authentication process, monitoring user activity and access requests, to protect and secure all interactions between said user and a corporate infrastructure, rather than a one-off authentication, as security posture and associated risk can change over time. It is composed of two layers: authentication and authorization. In the first one, the user will need to be properly and undoubtedly identified, ensuring said person is who they claim to be, using a combination of well-proven security technologies, including Single Sign On (SSO), Multi Factor Authentication (MFA), Certificates (e.g., smartcard) or Biometrics (e.g., fingerprint, face recognition), or a combination of these.
Let’s review together the different forms of authentication available with MFA and see which one(s) is(are) recommended to use to make that process resistant to phishing attacks.
What is MFA?
Multi-Factor Authentication (MFA) is an authentication method, part of the Identity and Access Management (IdAM) framework, that requires a user to present two or more pieces of evidence (or factors) to authenticate. These factors include but are not limited to something a user knows, like a credential – such as a password or PIN, something a user physically possess, like a mobile device, hardware token, or Credit “Card Verification Value” (CVV), or something a user is, like his fingerprints or palm prints, his iris, or his voice.
This makes it a great security mechanism that organizations must implement as part of any ZT architecture. However, it is not the magic key to perfect security and still has its few weaknesses that can be exploited. Security is larger than just one solution, so other security mechanisms should be implemented in combination with MFA to strengthen it even more.
Limitations and Vulnerabilities
While implementing MFA is a crucial measure in mitigating the risk posed by cyber threat actors who exploit compromised credentials to infiltrate networks and carry out malicious actions, it is important to highlight that not all types of MFA offer the same level of security.
Some of them are actually vulnerable to cybersecurity attack like typical phishing attacks, a deceptive tactic where cybercriminals trick individuals into revealing sensitive information, such as passwords or financial data, by posing as trustworthy entities in fraudulent emails or websites, or less known SIM swap attacks, that involves a malicious actor tricking a mobile carrier into transferring a victim's phone number to a SIM card under their control, often used for unauthorized access.
Another known attack is Push fatigue attack, colloquially known as “push bombing,” a social engineering technique that sends an overwhelming amount of MFA notifications to drive the user to accidentally approve the login attempt or approving just to make the MFA notification prompts to go away.
Finally, more advanced but still very real, malicious cyber actors take advantage of vulnerabilities within the Signaling System 7 (SS7) protocol, a set of telecommunications signaling protocols used for setting up and managing telephone calls and text messaging, to acquire MFA codes sent through text messages (SMS) or voice calls to a mobile phone."
When any of these attacks are successful, they potentially enable a malicious actor to acquire MFA authentication credentials or circumvent MFA to reach MFA-protected systems.
MFA Comparison
MFA authentication forms have been evolving over the years, to become more and more secure and resistant to ever growing cybersecurity threats.
OTP via SMS or voice, also known as Two-Factor Authentication (2FA), involves users providing their password as the first factor. Upon login, a one-time verification code is sent via SMS or voice call to their registered phone number. They enter this code to gain access, adding an extra layer of security to the login process. This method ensures that users possess both a password and physical access to their mobile device.
App-based authentication in MFA relies on a dedicated mobile users must on their mobile device, to complete the authentication process. We can mainly distinguish three different versions/evolutions of it.
App-based authentication with Push notification is the most basic authentication form. It begins with users entering their password as the first factor; the second factor involves a push notification sent to the user's registered mobile app, that they need to manually approve to complete the login, enhancing security by confirming their presence and consent for access.
App-based authentication using One-Time Passcode (OTP) enhances the earlier. It involves users providing their password as the first factor. The second factor is a unique, time-sensitive code, generated by either a mobile app, such as Microsoft Authenticator or Google Authenticator, or a physical device, like a hardware token. Users will need to provide that OTP during login, enhancing security by requiring something they know (password) and something they have (the mobile app).
App-based authentication with Number matching in one of the latest evolutions. It involves users entering a password as the first factor; the second factor comes from a dedicated mobile app or physical device, which generates a unique code. But then additionally, the system verifies that the user's account or device matches the expected number or information, enhancing security.
Source: https://bit.ly/blog-231031
Fast Identity Online (FIDO) and Web Authentication (WebAuthn) are standards for passwordless and strong authentication for online applications and services, allowing users to log in without traditional passwords by using biometrics, hardware tokens, or other secure methods. This approach enhances security, reduces reliance on passwords, and simplifies the authentication process for users.
Public Key Infrastructure-based (PKI-based) MFA combines PKI technology with MFA methods for secure user authentication. It uses digital certificates and private keys for identity verification, typically requiring something the user knows (a PIN or password) and something the user has (a digital certificate stored on a smart card or mobile device). PKI-based MFA is commonly used in government, enterprise, and high-security environments to ensure robust authentication and data protection.
Let’s compare the different authentication methods either there are resistant to the most common phishing attacks:
|
Authentication method |
Phishing |
Push fatigue |
SIM swap |
SS7 |
|
OTP via SMS/voice |
No |
- |
No |
No |
|
App-based with Push Notification |
No |
No |
- |
- |
|
App-based with OTP |
No |
Yes |
- |
- |
|
App-based with Number Matching |
No |
Yes |
- |
- |
|
FIDO/WebAuthn |
Yes |
- |
- |
- |
|
PKI-based |
Yes |
- |
- |
- |
Recommendations
The U.S. Cybersecurity and Information Security Agency (CISA) encourages organizations to adopt phishing-resistant MFA. While acknowledging that some applications may not immediately support this, organizations with non-phishing-resistant MFA systems should implement extra prevention and detection measures, such as number matching.
CISA also advises organizations to identify systems without MFA support and create plans to either enable MFA on these systems or transition to MFA-supported alternatives. Integration with enterprise identity and Single Sign-On (SSO) systems can often add MFA support to business applications. If direct integration is not possible, technology is available to connect various legacy system types with modern MFA and SSO solutions.
From the earlier comparison, it is clear than FIDO/WebAuthn and PKI-based are the most secure authentication forms for a phishing-resistant MFA process.
FIDO/WebAuthn authentication relies certificate, usually in the form of passkeys, cryptographic entities generated using complex algorithms and stored securely, either a user's desktop computer or mobile device, an external security key (hardware token) connected physically using USB connection, wirelessly using either Near Field Communication (NFC) or Bluetooth Low Energy (BLE) wireless communication technologies, or online using a password manager; they stored encrypted and protected by either biometrics (ex: fingerprint or face scan), a PIN or device password, same as used to unlock the device screen lock.
PKI-based MFA also relies on certificates, generated by an internal, enterprise Certificate Authority (CA), and so required a Public Key Infrastructure (PKI) to be in place within the organization. The user identity certificates are stored within the chipset of a smart card, protected by either a password or a PIN; the smart card reader can be either embedded into the device, like laptop, connected physically using a USB connection, or wirelessly using either Bluetooth or NFC wireless communication technologies; the most common smart card system are Personal Identity Verification (PIV), used for U.S. federal employees, and Common Access Card (CAC), used by the U.S. Department of Defense (DoD) and focusing on military access.
How ISEC7 Can Help You with Your ZTA Deployment
ISEC7 can help with building and deploying a Zero Trust (ZT) security strategy, incorporating all required elements into your network to meet the new standards and reach your optimal cybersecurity goals. Our cybersecurity professionals are well versed in the DOD Zero Trust and CISA Maturity Model and implement technology in accordance with their requirements.
Through consistent updates and monitoring, we ensure that your cybersecurity practices stay up to date with the latest security enhancements and policies.
Contact
Find out more regarding ISEC7´s Services and Solutions.
