MFA Weaknesses
Why do we need a new approach to authentication? Bypassing existing MFA techniques to garner employee credentials or to take over employee accounts has become child's play for attackers. There are even videos on YouTube explaining how to do it. Techniques range from simple phishing to push bombing — where attackers send push notifications until the employee accepts one — to more complex SS7 communications protocol exploits to obtain texted MFA codes.
For example, take the common MFA technique of using a push notification as the second factor.
One common approach the attackers use is to create a fake company login page, then send out phishing emails to drive employees to that page. When an employee enters their username and password into the fake page, the attacker simply takes the credentials and enters them into the real login page. When the employee receives the MFA request (the push notification), they are likely to treat it as genuine and click "Yes." With that simple approach, the attacker has now compromised the employee's account and has a beachhead into the company's network that can allow them to move laterally and install malware or ransomware.
People as a Point of Failure
Not all vulnerabilities are technical. Social engineering is becoming more sophisticated, with attackers using texts and voice calls targeted at specific employees to add credibility and urgency to that phishing email. The attackers pose as IT technicians or other trusted authorities to create that trust with the targeted employee. These techniques can be very effective, as hapless users willingly will do as asked, assuming they are speaking with a trusted person from their own organization.
Enter the FIDO2 Standard
So, what is FIDO2, and how can it help address these MFA vulnerabilities? Developed by the Fast Identity Online (FIDO) Alliance, FIDO2is an authentication method containing two components: WebAuthn (W3C) and CTAP (FIDO Alliance), which together eliminate the security gaps in standard MFA services.
With FIDO2, the site requesting authentication constructs the authentication challenge, encrypts it with the registered authenticator's public key, and sends it to the user by way of the user agent (browser) that originally requested access. The browser adds some context and forwards to the attached authenticator. The authenticator decrypts the challenge with its private key and compares it with its own registration records and the context provided by the browser. By nature of this process, attackers using stolen credentials are blocked (they receive the challenge but can't do anything, as they don't have the authenticator). Attackers who are actively man-in-the-middle are detected and blocked as well (they can replay the bidirectional traffic, but they cannot construct a challenge that would be accepted by the authenticator). This method makes it virtually impossible to compromise MFA. The key features of FIDO2 are:
- Authentication credentials are based on private/public key pairs.
- No shared secrets — the private key is generated by the FIDO2 authenticator, is stored in secure hardware on the authenticator, and cannot be exported or tampered with. Only the public key is sent to the server-side (website) when registering.
- Authentication challenges are delivered to the user agent (the browser), which adds context about the challenge and then delivers it to the attached FIDO2 authenticator, which allows detection of a man-in-the-middle.
- Platform authenticators (tied to the platform and only usable on that device) and roaming authenticators (that can be used across any device).
Why Isn't Everyone Using FIDO2 MFA?
Security professionals recognize the value that FIDO2-based MFA provides. However, because companies need to buy, distribute, and manage physical FIDO2 security keys, the added cost and complexity has slowed down adoption. In addition, users really dislike using a physical security key — it's yet another piece of hardware they have to carry around. Because of these factors, many companies will deploy FIDO2 for high-risk employees but use standard MFA for other employees.
Phish-Proof Protection
Authentication methods based on FIDO2 are the closest thing there is to a "phish-proof" solution, and the security community has taken note. The Cybersecurity and Infrastructure Security Agency (CISA) recently called FIDO "the gold standard" for authentication, urging corporate leaders to make it part of their MFA strategy. US federal agencies are also moving to FIDO2 to address the vulnerabilities of existing MFA techniques.
As it becomes more widely recognized, expect to see FIDO2 as a recommended or even required standard for online interactions/transactions where critical data must be protected. Currently, most underwriters of cyber insurance require MFA implementation to qualify for coverage. It's not a stretch to imagine that requirement expanding to include FIDO2.
Time to Up Your Game
For any organization concerned about cybercrime — and the economic and reputational risk it poses — proactively adopting FIDO2 authentication seems like a smart business move. For organizations that rely on vendors or partners for their online employee and/or customer interactions, now is a good time to find out whether they have adopted FIDO2.
As cybercriminals continue to up their game, organizations must do likewise. Don't wait until an attacker finds your weakness. Now is the time to take a critical look at your authentication protocols and see how FIDO2 can address MFA deficiencies and close that door.
