Recently, threat actor leverage MFA fatigue to breach into Uber, Microsoft and Cisco. The cybercrime gang Lapsus$ is very keen of this technic.
The Cybersecurity and Infrastructure Security Agency (CISA) has published two fact sheets that describe the dangers of accounts and systems that use multi-factor authentication (MFA) in certain ways. CISA recommends that all organizations use phishing-resistant multi-factor authentication to prevent cyberattacks such as phishing.
If an organization that uses mobile push-notification-based multi-factor authentication is unable to provide phishing-resistant multi-factor authentication, CISA suggests using number matching as an alternative. Although number matching is not as secure as phishing-resistant multi-factor authentication, it is a good option for organizations that cannot immediately implement phishing-resistant multi-factor authentication.
The risks of using Multifactor Authentication
A cyber threat actor who has obtained a user’s password can enter it into an identity platform that uses mobile push-notification-based MFA to generate hundreds of prompts on a user’s device over a short period of time. This obviously irritates the user, who might accidentally or due to MFA fatigue accept the prompts to stop them. The user may be confused by the prompts, which might lead them to believe that one of them is genuine and approve it. As a consequence, the user unintentionally grants the cyber threat actor access to their account.
- Push bombing (or Push fatigue): Threat actors bombard users with push notifications until they press the “Accept” button, gaining access to the network.
- SS7 protocol vulnerabilities: It is possible for cyber attackers to obtain mobile multifactor authentication (MFA) codes via SMS or voice to a phone by exploiting the SS7 protocol used in telecommunications networks.
- SIM Swap: An attacker can gain control over a victim’s mobile device by persuading a mobile provider to switch the victim’s phone number to a SIM card controlled by the attacker.
- Phishing: Cyber threat actors use email or malicious websites to deceive victims into giving up sensitive information. Phishing, for example, is a social engineering tactic where a malicious website impersonating a company’s official login portal is used to fool a target into giving up their username, password, and mobile phone’s 6-digit authenticator code.
Secure MFA Implementation
Advises to deploy Multifactor Authentication
- No phishing-resistant multi-factor authentication: The vendor may not have prioritised the development of phishing-resistant MFA or the product may no longer be supported. Organisations should then start with the services that do provide phishing-resistant MFA, such as most hosted mail and SSO systems that support FIDO. FIDO is a good starting point because data is valuable and the vendors are likely to support it.
- Try to deploy all at once: Due to operational considerations, the organization might not be able to roll out phishing-resistant MFA to all groups at the same time or train, enroll, and support all users. Which groups might be suitable for an initial phase, such as help desk and IT system administrators? Lessons can be learned from previous phases and applied in later phases.
- User resistance to change: The IT security team should present the dangers associated with using or maintaining potentially vulnerable MFA to the company’s senior leadership for approval. If senior management believes that using phishing-resistant MFA is too risky, they are best positioned to handle cultural and communications issues.
The key of success when deploying MFA into an organization is to prioritize the implementation for the resources that the organization really want to protect. It is requiring a good knowledge of its infrastructure and an appropriate risk management.
