According to the 2017 Verizon Data Breach Investigations Report “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” A solution to this problem is to use Multifactor Authentication to prevent a stolen password from being enough for an adversary to gain access to critical systems. This has been true for a long time. Yet MFA is still only used for specific use cases, like remote access. And even there, not universally. Why is this? It is because MFA has traditionally been what social scientists call “a pain-in-the-ass” for both users and IT.
Something You Know, Something You Have
The multiple factors for MFA have always been “something you know” and “something you have”. The problem is that others may know what you know as well (stolen or guessed passwords). So, add in the “something you have”, which for years have been either small fobs (or phone apps) that allow one to create an ever-changing PIN that allows a user to demonstrate that the “something they have” is the unique fob assigned to them.
This traditional approach is cumbersome for both users and IT. IT must distribute and configure the fobs, must train users to use them, and must deal with work-arounds and re-starts when users lose their fobs, forget to travel with them, or for a variety of reasons don’t have access when they need them. Users, must slow down their workflow to generate a PIN and type it accurately into a user interface on a different system. Murphy’s Law dictates that when the stakes are the highest – when the wire transfer must be made, when the contract must be signed, when the server must be restarted – is precisely when the user will learn that they left their fob at home or are in their car and cannot safely execute the workflow of creating and typing in a PIN.
Smartphones as MFA Fobs: A Really Dumb Idea
The industry has been trying to address these issues by developing methods for easier user workflow while not sacrificing security. New techniques have been developed, usually around smartphones, that send a notification to users after they present their credentials to have the user verify that they are in possession of a specific phone by pressing a button in response to receiving the notification. That is easier for the user than creating and typing in a PIN.
But I must ask myself – is this really the ultimate solution for MFA that the world desperately needs or is this just the tweak-of-the-day?
It seems like the latter to me, for a few important reasons.
- User workflow is still awkward. The user still needs to be in possession of the device that receives the notification and respond to the notification. The MFA logic becomes “something you know” plus “something else you own, have in your possession, hasn’t run out of battery, is on, and you are able to fiddle with it”.
- Smartphones are complex devices with their own software vulnerabilities. If you want to see something scary and you have 6 minutes to spare, look at https://blog.knowbe4.com/heads-up-new-exploit-hacks-linkedin-2-factor-auth.-see-this-kevin-mitnick-video. Say what you will about old-time hardware fobs – those simple single purpose devices unconnected to any network were pretty much impossible to hack!
- A human is involved in this process. Humans can be tired. They can be extremely busy. They can be … not so smart. This leads to all kinds of social engineering possibilities. If I have stolen someone’s password, I probably have their user name. If I have their user name, I can probably guess their e-mail address. If I know their e-mail address and a little more about them I can probably construct an authoritative sounding e-mail to them instructing them to press on the notification the next time they see it come in to help with the testing of the system.
Or, all that may not be necessary. Several pen testers have noted that they have gained access to MFA protected systems due to busy and inattentive users pressing the notification button themselves in response to receiving it. Busy people are always doing something. Maybe they did just attempt access to that app. Maybe they just want the notification to go away so that it doesn’t block something else on their screen.
You just can’t count on anything being secure that requires proper human action or diligence.
It’s Time to Rethink MFA
So … not totally user-friendly and introduces some new security holes. I don’t really see how this incremental (at best) enhancement is the be-all and end-all of MFA. We’re going sideways in an area where we really need to be game-changing.
Transparency is Key
What’s needed is a method to make MFA completely transparent to end users. If you make it transparent, you can make its use universal. You can have it working for you when employees access systems on the LAN or in the cloud and when remote workers or 3rd parties access internal systems or SaaS accounts. You can make strong authentication as prevalent as TCP/IP itself. Adversaries will need to find an alternative way to attack, having lost any advantage from having successfully stolen credentials.
Software is Key
The way to achieve transparent MFA is to leverage software rather than repetitive user action. Software can be provisioned onto user devices that creates a unique one-time password every time it connects, which along with other artifacts identifies that device and device profile as belonging to a specific user. Any device which has not been provisioned with such software can’t get access to protected applications at all. The authorized user can authenticate to the enterprise using their normal process (usually providing user name and password). An intermediary system then compares that user to the device being used. Mark’s credentials should only be coming from Mark’s device profile. Anything else implies that stolen credentials are being presented and access should be denied. The “something you know” remains (usually) user name and password, but the “something you have” is the usual device (or devices) that workers use to access corporate applications and SaaS accounts. This all operates “under the hood” and transparently to end users.
Trust is Key
Such a system, called Trusted Access Control, correlates user and device credentials together to create MFA and goes on to deliver benefits beyond the scope of this blog such as authorization policy enforcement and device compromise detection.
It is clear to me that the combination of using transparent MFA for strong and user-friendly authentication along with device biometric control for local device access (eliminating the stolen device risk) will be the winning combination. Easier for users, easier for IT, more secure.