I have run across many "MFA" implementations that are only providing a false sense of security because they aren't actually MFA at all. After the most recent one, which had to do with income and financial documents I decided to write up a blog post so that I can share it with people to help them understand. Even though I am writing this to help people fix bad MFA implementation, hopefully at least a few readers will find this useful to set up MFA properly in the first place.
First, what is MFA? MFA stands for multi-factor authentication. The consensus is that there are only three possible factors that you can work with, so you MFA means that you MUST use at least two of these factors to access whatever it is that you are attempting to access. The three possible factors are:
- Something you know (like a password)
- Something you have (a physical item like a security key card, a company laptop, a specific cell phone, etc)
- Something you are (biometrics like fingerprints, voiceprint, retinal scan, etc)
- A bad actor lifts a cell phone off the table at a local coffee shop while its owner is up getting their latte. The owner didn't bother to lock the phone (which is why it was an ideal target for this bad actor) so as long as the thief keeps touching the screen every couple minutes it will never lock.
- The thief scrolls through the email on the cell phone and finds a link to an financial website (that is supposedly protected by MFA).
- The thief goes to the portal and finds that the username is an email address, so they use the email address of the account on the phone and select the "forgot password" link.
- Ding! The phone gets a reset password email from the portal website. The thief resets the password and attempts to log in.
- The thief is now presented with the "MFA" prompt, would they like to authenticate with:
- An Email message
- A text message
- An authenticator app
- The thief chooses "an email message" because they know that they have the email account, though likely a text message would come right to this phone and also likely the authenticator would as well.
- Ding! The thief gets the email for "MFA" and logs into the financial site.
- The thief proceeds to buy a bunch of cryptocurrency with the victims money and the disperse that into their laundering crypto-wallets.
- Apple Passwords has an option to require a fingerprint, PIN or password when you open the app or approve a notification and it is on by default on iDevices.
- Google Authenticator has an option to require a fingerprint, PIN or password when you open the app or approve a notification and it is on by default on Android devices.
- Microsoft Authenticator has an option to require a fingerprint, PIN or password when you open the app or approve a notification.
- Okta Verify does not have an option to require a fingerprint, PIN or password before displaying the authentication code. So, the scenario above would work just fine for the attacker if the authenticator app was SecurID.
- SecurID does not have an option to require a fingerprint, PIN or password before displaying the authentication code. So, the scenario above would work just fine for the attacker if the authenticator app was SecurID.
- Symantec VIP Access does not have an option to require a fingerprint, PIN or password before displaying the authentication code. So, the scenario above would work just fine for the attacker if the authenticator app was SecurID.
- The user should be able to set up a second email account for any/all recovery options. This is the most common mistake that I see made across "MFA" solutions.
- The user should choose an MFA solution (text/email/app/etc) at the time of their account setup and the other options should not be available during normal logon. Either use the one that was set up or use a recovery option. This is the second most common mistake that I see; what is the point of me setting up an authenticator app if you are still going to offer the would-be attacker the option of getting an SMS text or an email?
- A secure authenticator app (one that allows for that 2 factor on the phone) should be highly recommended during account setup.
- Email address should not be used as a username (not precisely an MFA item, but a basic security principle).
- Changing both the correspondence and recovery email addresses should be possible by the user. Yes, I have actually seen quite a few sites that do not allow you to change your email address. Usually the same ones that are using that email address as the logon.
- Require re-validation of the MFA (check their credentials again) to display/change the recovery address.
No comments:
Post a Comment