Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. More information
It has long been thought that multi-factor authentication (MFA) – in the form of push notifications, authenticator apps or other secondary steps – would be the answer to the growing cybersecurity problem.
But hackers are cunning and cunning and are constantly coming up with new ways to breach MFA’s fortress.
Today’s businesses need even stronger defenses. Experts say MFA is still critical, but should only be a small part of the authentication process.
“Traditional MFA methods, such as SMS and push notifications, have proven vulnerable to a variety of attacks, making them almost as susceptible as passwords alone,” said Frank Dickson, group vice president of security and trust at IDC. “The growing prevalence of advanced threats requires a move toward stronger authentication methods.”
Why is MFA not enough?
The once time-tested practice of relying on passwords now seems strange.
No matter what series of numbers, letters, special characters or digits they contained, they became so easy to steal because users were careless, lazy, gullible or too trusting.
“Traditional passwords are simply shared secrets, not much more sophisticated than a Roman sentinel asking for the secret codeword thousands of years ago (‘Halt, who’s going there? What’s the passcode?’),” said Lou Steinberg, founder and managing partner at CTM insights.
As Matt Caulfield, VP of identity security product at Ciscotold VentureBeat: “As soon as those were stolen, it was game over.”
MFA became increasingly mainstream in the mid-1990s to 2000s as more and more companies moved online, and it seemed like a solution to traditional passwords. But with digital transformation, the shift to the cloud and the adoption of dozens or even hundreds of SaaS apps, enterprises are more vulnerable than ever. They no longer hide safely behind firewalls and data centers. They lack control and transparency.
“MFA changed the game for a long time,” Caulfield said. “But what we’ve discovered over the last five years with these recent identity attacks is that MFA can be easily defeated.”
One of the biggest threats to MFA is social engineering or more personalized psychological tactics. Because people put so much of themselves online – through social media or LinkedIn – attackers have a free hand to conduct research on anyone in the world.
Increasingly sophisticated AI tools allow covert threat actors to mount campaigns “at scale,” Caulfield says. They will initially use phishing to gain access to a user’s primary login credentials, and then deploy AI-based outreach to trick them into sharing a secondary credentials or taking action that gives attackers access to their account.
Or attackers spam the secondary MFA SMS or push notification method, causing “MFA fatigue” when the user finally gives in and hits “allow.” Threat actors will also educate victims, making situations appear urgent, or fool them into thinking they are receiving legitimate messages from an IT helpdesk.
Man-in-the-middle attacks allow an attacker to intercept code during transmission between user and provider. Threat actors can also deploy tools that mirror login pages, tricking users into entering both their passwords and MFA codes.
Enter passwordless
The demise of MFA has driven many companies to adopt passwordless methods such as passkeys, device fingerprinting, geolocation or biometrics.
Passkeys authenticate users through cryptographic security keys stored on their computer or device, explains Derek Hanson, VP Standards and Alliances Yubicowhich produces the commonly used ones YubiKey device.
Each party must provide proof of its identity and indicate its intention to initiate authentication. Users can log in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN code or pattern.
“Users don’t have to recall or manually enter long strings of characters that can be forgotten, stolen or intercepted,” Hanson said. This reduces the burden on users to make the right choices and not give away their credentials during a phishing attempt.
“Approaches such as device fingerprinting or geolocation can complement traditional MFA,” explains Anders Aberg, director of passwordless at Bitwarden. “These methods adjust security requirements based on user behavior and context – such as location, device or network – reducing friction and maintaining high security.”
The tandem use of devices and biometrics is increasing, Caulfield agrees. During initial login and verification, the user shows their face along with physical identification, such as a passport or driver’s license, and the system performs 3D mapping, which is a kind of “liveness check.” Once the photo IDs are confirmed by government databases, the system registers the device and its fingerprint or other biometric data.
“You have the device, your face, your fingerprint,” Caulfield said. “Device trust is becoming much more prevalent as the new silver bullet for preventing phishing and AI-based phishing attacks. I call it the second wave of MFA. The first wave was the panacea until it wasn’t anymore.”
However, these methods are not completely foolproof either. Hackers can bypass biometric tools by using deepfakes or simply stealing a photo of the legitimate user.
“Biometrics are stronger than passwords, but once compromised they are impossible to change,” Steinberg says. “You can change your password if necessary, but have you ever tried to change your fingerprint?”
Use analytics and create a failsafe
Caulfield pointed out that organizations are integrating analytics tools and collecting mountains of data, but they are not using it to strengthen their cybersecurity.
“These tools generate a lot of telemetry,” says Caulfield, such as who is logging in, where and on what device. But then they “send it all into a black hole.”
Advanced analytics can help detect and analyze identity threats, even if they provide a “stop gap of failsafe” after the fact when attackers bypass MFA, he said.
Ultimately, enterprises must have a fail-safe strategy, says Ameesh Divatia, co-founder and CEO of data privacy company Astonish. Personally identifiable information (PII) and other confidential data must be cryptographically protected (masked, tokenized, or encrypted).
“Even if there is a data breach, cryptographically secured data is useless to an attacker,” says Divatia. In fact, GDPR and other data privacy laws do not require companies to notify affected parties if cryptographically protected data is leaked, because the data itself is still safe, he pointed out.
“Fail safe simply means that if one or more of your cybersecurity mechanisms fail, your data is still safe,” Divatia said.
There’s a reason it’s called “multifactor.”
However, this does not mean that MFA will disappear completely.
“Overall, the hierarchy of authentication starts with MFA, as weak MFA is still better than no MFA at all, and that shouldn’t be overlooked,” Dickson said.
As Caulfield noted, it’s called multi-factor authentication for a reason: “multi” can mean anything. Ultimately, it could be a mix of passwords, push notifications, fingerprint scans, physical possession of a device, biometrics or hardware and RSA tokens (and what happens next).
“MFA is here to stay, the definition now is ‘How good is your MFA’? Is it simple, mature or optimized?,” he said. Ultimately, however, he emphasized, “There will never be a single factor that is completely safe in itself.”
Source link
