Multi-factor authentication has multifaceted problems
By Steve Singer, Senior Regional Vice President, Country Manager – Australia & New Zealand, Zscaler
Wednesday, 20 December, 2023
In today’s digital landscape, securing user identities is paramount to safeguarding sensitive information and systems from cyber threats. Multi-factor authentication (MFA) has long been regarded as a powerful security measure. However, recent developments in cyber attacks have exposed vulnerabilities in MFA, prompting the need for a more comprehensive approach to identity verification.
Zscaler’s ThreatLabz uncovered a significant phishing campaign that bypassed MFA by utilising adversary-in-the-middle (AiTM) tactics. This sophisticated attack involved redirecting users to a malicious site, intercepting passwords and MFA-verified session cookies. With this, attackers were able to steal users’ credentials and gain access to sensitive information without raising alarms.
Apart from AiTM attacks, simpler methods have also been employed to bypass MFA. By bombarding a target with MFA notifications and employing social engineering techniques, threat actors have successfully convinced contractors to authenticate the MFA requests, enabling them to bypass without any technical skill. Furthermore, SIM swapping has emerged as another technique, where threat actors manipulate telecom providers to switch a target’s phone number to an attacker-controlled SIM card. This allows the attacker to receive MFA requests and effortlessly circumvent the security measure.
Identity access management: embracing a holistic approach
While MFA remains a valuable layer of security, it is crucial to recognise its limitations and consider a more comprehensive approach to identity verification. Rather than relying solely on MFA, organisations should embrace identity access management (IAM) technologies. IAM offers various approaches to verify user identity, minimising susceptibility to the exploits successfully leveraged against MFA. Additionally, IAM encompasses identity verification for devices, networks and services, providing a holistic solution for comprehensive security.
The shifting landscape of authentication
Cybersecurity measures must adapt continually to keep pace with evolving threats. The transition from single passwords to MFA was an important step, but as the vulnerabilities of MFA become evident, it is vital to integrate new authentication methods. IAM providers, AI analysis, biometrics and location data are some of the tools organisations can leverage to enhance identity verification. By embracing these advanced technologies, organisations can harness a more robust security posture and stay one step ahead of adversaries.
Balancing security and user experience
Authentication is a delicate balance between security and user experience. Instead of employing a one-size-fits-all MFA approach, organisations should adopt a more granular authentication process based on the sensitivity of the resource being accessed. Lower value resources may require simple MFA from any device and network, while higher-sensitivity applications may demand a compliant, corporate-managed device along with MFA. Highly sensitive resources should incorporate more elaborate measures, such as a compliant, managed device, MFA with a physical token, and access restricted to a known network or zero trust network access (ZTNA) service. It’s important to remember that passing an MFA challenge only verifies the authenticator but does not guarantee identity, necessitating additional security measures for highly sensitive resources.
In an evolving threat landscape, it is paramount for organisations to invest in technologies that provide end-to-end visibility across the entire IT ecosystem which thereby helps IT teams configure a more comprehensive cybersecurity approach — including identity verification.
When it comes to identity verification, IAM enables organisations to adapt to the rapidly changing cybersecurity landscape and ensure robust protection against evolving threats. The evolution of authentication is an ongoing journey, and staying ahead of adversaries requires embracing new tools and strategies to secure user identities effectively.
An international taskforce has seized the darknet sites run by LockBit, but relying on law...
The inadequacies and immense risks associated with traditional passwords and legacy...
Keir Garrett of Cloudera comments on data security and consumer privacy in the wake of cyber...