Insights > Blog

Hardening Measures for Multi-Factor Authentications

Authentication plays an important role in any system nowadays. It verifies whether someone is in fact who claims to be. Basic authentication comes in form of password but for some time now, Multi-Factor Authentication (MFA) as been seen as a standard and a “must have” since it provides extra protection. MFA can be implemented and used in many ways like physical tokens, biometrics, software apps, SMS and more.

Since not everyone is aware of tokens or biometrics as a means to perform MFA, app-based methods are being adopted as a safer way to authenticate users instead of SMS’s or phone calls. A tendency that is growing according to Microsoft.

Basic MFA functioning relies on One-Time Passwords (OTP). Software apps like Authy or Microsoft Authenticator have implemented cryptographic hashing functions such as Hash-based Message Authentication Code (HMAC) to generate OTPs, that usually are composed by a 6-digit number, computed with a timestamp and a secret key.

In order to use a Multi-Factor Authentication, three factors must be considered and two of the three are required.

Those factors are:
a) Something you know. This method is based on the usage of a password or passphrase, a PIN or the answers to secret questions (challenge-response). It involves verification of something provided by the user.
b) Something you have. This can be a token device, a smartcard, an e-mail, a cell phone number or a smartphone in combination with an OTP software app. It involves verification of an item that the user has in their possession.
c) Something you are. Like fingerprint, facial or voice recognition, retina or iris scan. This method involves verification of characteristics inherent to the individual.

The subject of MFA has been suffering changes in order to become robust over the years. Malicious actors continue to discover new ways of compromising the authentication process as it has been seen most recently by groups like Lapsus$ that take advantage of the state of the fatigue of the users.

Considering the basic functioning of the concept, the following are five hardening measures that enhance the use of corporate MFA. The measures are based on currently best practices and recent forms of exploitation, employed by adversaries today.

1. Disable MFA Default Configuration for text messages

SMS as MFA tends to be widely used because it is easy to configure and only requires a phone number to receive the OTP. This out-of-band authentication is considered the weakest form of MFA and companies like NIST and Microsoft consider it deprecated and have been increasingly advising to leave aside its usage.

This type of MFA is vulnerable to SIM Swapping, does not rely in encryption, can be intercepted using software-defined-radios, FEMTO cells or SS7 intercept services, is phishable and can be brute-forced.

Changing the authentication process to physical tokens, biometrics or software based-app is highly recommended.

2. Disable Pop-Up Notifications to Avoid MFA Fatigue Attack (MFA Bypass)

Recently, threat actors, like the Lapsus$ group, have begun looking for ways to compromise what should be a security enhancing practice like app-based authentication. After threat actors obtaining valid credentials, they have been successfully compromising accounts with spamming/bombing push notifications by exploiting “MFA Fatigue”.

“MFA Fatigue” can be seen as a second factor authentication bypass and the modus operandi of the threat actors concerns the overload of notifications a user receives during a day to perform logins or approve different actions. With the overwhelming volume of notifications, fatigated users try to dispatch whatever pop-ups are upseting them and start putting security best practices aside.

Since the Covid-19 era, the overwhelming mobile pop-ups and notifications have increased considering that different business models have turned to remote work and enabled Virtual Private Network (VPN) to access internal resources.

With all the considerations declared, the attack is not particularly effective due the technology but the human state of constant attention in the context of the excessive number of notifications. Fatigated users tend to accept notifications when they want to make them disappear, and many MFA users are not familiar with this attack due its recent exploitation which ends in some cases in the approval of fraudulent notifications.

In sum, this type of MFA exploits the fatigue and human attention.

It is advised disabling pop-up notifications.

3. Block User Account After Several MFA Denials

Nowadays, most compromised accounts come from gathering passwords from data breaches and performing password stuffing attacks. Considering people use software app-based or SMS for the MFA, threat actors may abuse the OTP authentication by brute-forcing it.

In this sense, it is not common to find security controls by default to restrict the abuse of OTP authentication. Whenever possible, every account should be configured to be blocked or to initiate a password recovering process after a certain number of MFA denials occur.

App-based MFA is vulnerable to brute-force, phishing and malware running in the victim’s device.

In this context, configuring a maximum number of MFA denials should be a necessary rule.

4. Block Access By Location

Foreigner origins not expected for daily labour should not be used for authentication. For example, in a scenario with no restrictions implemented, a threat actor after gathering a pair of credentials from a data breach and that bypasses the MFA using the MFA Fatigue attack, would not have his location as an obstacle, however distant might be, to successfully compromise the victim’s account.

Blocking accesses by location consistently reduces the authentications allowed which consequently reduces the attack’s surface.

In summary, it is advised enabling authentication only for the countries known for daily work. Authentications from countries not recognized by the company as legitimate, should be blocked.

5. Configure Physical Token or Biometric Authentication

Physical tokens and biometric authentications use FIDO U2F protocol for authentication. The protocol is designed to act as a second factor to strengthen the username/password-based login flows. It uses public-key encryption, which means that for each service used, a new pair of keys is generated and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.

The U2F protocol can be used in 3 ways.
1. Passwordless or tokenless: the user just needs to unlock the device using biometrics.
2. For mobile: the user inserts the username and password and then touches the registered physical token. The communication between the token and the registered devices is made via NFC or bluetooth.
3. For USB: the user types the username and password, inserts the physical token into the computer and touches the button.

The U2F protocol also guarantees that the user login is bound to the real site. In other words, the authentication will fail on a fake site even if the user is convinced it was real. In short, the origin binding mitigates most of the attack’s surface, including sophisticated phishing attacks.

For the token usage, this type of MFA is vulnerable to hardware theft. For this purpose it is advised having a second physical token as backup stored in a safe location.

Author: André Monteiro – Cipher Cybersecurity Auditor, Portugal.

References

https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf

Disable MFA Default Configuration for text messages:

https://danielmiessler.com/blog/casmm-consumer-authentication-security-maturity-model/
https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf
https://www.forbes.com/sites/zakdoffman/2020/11/17/microsoft-warning-about-sms-security-codes-sent-to-apple-iphone-and-google-android-phones/
https://www.zdnet.com/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/

https://blog.mozilla.org/en/internet-culture/mozilla-explains/mozilla-explains-sim-swapping/

https://privacypros.io/u2f/sim-swapping/

Disable Pop-Up Notifications to Avoid MFA Fatigue Attack (MFA Bypass)

https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/
https://www.mandiant.com/resources/russian-targeting-gov-business
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone
https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/

https://twitter.com/_mg_/status/1506743225813331969

Configure Physical Token or Biometric Authentication

https://www.yubico.com/resources/glossary/fido-u2f/
https://www.yubico.com/authentication-standards/fido-u2f/

https://inteltechniques.com/book7.html

0 Comments

Submit a Comment Cancel reply

GET EMAIL UPDATES

Information Security Maturity Self-Assessment Survey

Learn More

• Whitepapers
• E-books
• Checklists
• Self-Assessments
• Webcasts
• Infographics

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_86671402_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
ajs_anonymous_id	never	This cookie is set by Segment.io to check the number of ew and returning visitors to the website.
ajs_user_id	never	The cookie is set by Segment.io and is used to analyze how you use the website
CONSENT	16 years 3 months 14 days 7 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
driftt_aid	2 years	The driftt_aid cookie is an anonymous identifier token set by Drift.com for tracking purposes and helps to tie the visitor onto the website. The cookie also allows Drift to remember the information provided by the site visitor, through the chat on successive site visits.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
ajs_group_id	never	This cookie is set by Segment.io. The purpose of the cookie is currently not identified.
AnalyticsSyncHistory	1 month	No description
debug	never	No description available.
drift_aid	2 years	No description
drift_campaign_refresh	30 minutes	No description available.
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Insights > Blog

0 Comments

Submit a Comment Cancel reply

GET EMAIL UPDATES

Information Security Maturity Self-Assessment Survey

Learn More

Social Media

LinkedIn

Powered by Juicer

View on LinkedIn

Social Media

Twitter

Twitter feed is not available at the moment.

Social Media

Facebook

Insights

Whitepaper

Dig into the details of cybersecurity and regulations by reading our exclusive white papers. Each paper is written by an expert at Cipher and full of insight and advice.

Learn more