Cybersecurity Topics in This Month's Update:
Understanding Authentication Types
With the recent news talking about how Google is adding support for passwordless authentication to Chrome and Android, you might be wondering what all this means to you, and how this all works. I would like to give a brief overview of how the various online authentication methods work, as well as the benefits and pitfalls of each one.
Username and Password
This is the basic online method of authentication, and is one of the easiest of the methods to use.
The end user doesn’t require any special devices, all they need to remember is their username and a password.
This method is not very secure, as there are numerous ways for an attacker to get this information, and once they have that, the only way to lock them out is to change it. They can get it by using a key logger to see what you typed, or setting up a fake site for you to attempt to log in, and harvest the credentials that way. They can also obtain the credentials by hacking into the website you are logging into, and stealing the credentials that way. And if you use the same credentials across multiple sites, all they need to do is get the username and password off one site, and they will be able to try those credentials against other sites you use. The attackers can also just guess passwords until they gain access.
Username, Password, and SMS code
This method adds to the username and password method by having you enter in a single use code that is sent to your cellphone after you attempt to log in.
This is more secure than the basic username and password method because you now are also required to use additional information to log in. The codes are single-use, and sent to a device that is currently in your possession, so if an attacker gains that information, they cannot reuse the data later to continue to gain access.
This method requires that you have your phone with you.
SMS are also not completely reliable, so the code might not get to you at all, or be delayed by a few minutes or hours, preventing you from logging in until you receive it.
This method can also be phished, if you are visiting a malicious site, the attacker can get you to enter your username and password, then your SMS code. They then use that to log into the real website, but tell you that the SMS code was wrong.
This method can also fall to SIM swapping attacks, where an attacker will go to the cellphone provider and tell them they lost their phone, and buy a new phone and SIM card that is attached to your phone number. Or if they steal your phone, they can just check the messages there (if you don’t have a PIN or password lock on your phone), or just move the SIM card to their own phone so they can receive the text messages.
Username, Password, and Push notification
This method adds to the username and password method by having you confirm your login by pressing a button in a popup on another device.
This is more secure than the username and password method due to having to confirm the login. It is more reliable than having to enter an SMS code, and you can register multiple devices to receive the notification.
This method also requires that you have another device with you.
It is also susceptible to a phishing attack in that the attacker can get you to enter your username and password on a fake site that they then enter into the real site, and get you to confirm the login via the notification on your device.
Another downside to this method is called MFA Fatigue. This is where the attacker has your username and password, and they just repeatedly log into the site to trigger push notifications, hoping that you accidentally press the confirm button, or push the confirm button because you think some app that you are using is trying to log in again.
Username, Password, and TOTP (Authenticator app)
This method generates a one-time-use code in a special app based on the current time or a specialized hardware device with a cycling code, which is required in addition to the username and password
This method does not require any sort of access to a network or cell service to generate the code, and you can generate the code at any time. Fake login attempts will not alert you or bother you.
This method requires that you have another device with you.
It is also susceptible to a phishing attack, similar to the above methods.
If the time is wrong on either the server you are logging into, or the device you use to generate the codes, the codes will not match up, preventing you from logging in.
If the private keys are stolen off your device, the attacker can then just generate their own TOTP codes.
Username, Password, and Security Key
This method uses a key exchange with the website in addition to the username and password.
This uses a phishing-resistant method to confirm login. Because the website you are logging into verifies access with a key on the device you are using to log in, they cannot intercept the communication on a fake site as they keys do not match up. The verification does not work if the website is different than the one that the verification was generated for. Each request is also cryptographically signed and different, so they cannot just capture a single login to the website and reuse that to log in later.
This does not necessarily need an external device, things like fingerprint readers built into your computer can be used as a security key.
This method may require that you have another device with you. Frequently these are done with hardware security keys that you plug into your computer when you are attempting to log into a website. These hardware keys are designed to not be able to be duplicated, so if you lose the key, you either need to use a backup key to get in, or revert to a less-secure method of login that is susceptible to phishing until you can get a new one.
Using a built-in device means that you still need another security key if you are logging in from a different computer.
Passwordless with Security Key
This method is similar to using a username, password, and security key, except it is much simpler because everything is verified with your security key, thus you do not even need to remember your username and password.
You just need to connect your security key to the device you are using to log in, click on a special link on the login page, and the site automatically logs you in. The communication with the site is encrypted so an attacker cannot phish the credentials to get in, your security device will just refuse to talk to any website that it has not been configured on.
You can potentially use a device built into your computer, such as a fingerprint reader, as the security key.
This method has the same downsides as the username, password, and security key method.
MFA Fatigue Attacks are an Ongoing Threat to Businesses
The rapid growth of technology in all areas has resulted in an ever-increasing threat of cyberattacks on businesses, governments, and individuals alike. MFA fatigue attacks are a prevalent business danger. This is a strategy in which a cybercriminal attempts to acquire access to a corporate network by blasting a user with MFA prompts until they ultimately accept one.
Multi-factor authentication (MFA) is a tiered end-user verification approach for securing data and applications. An MFA system requires a user to enter various combinations of two or more credentials in order to log in.
Cybercriminals use MFA fatigue attacks to overwhelm their victims with repeated 2FA (two-factor authentication) push notifications in order to fool them into authenticating their login attempts, increasing their chances of gaining access to critical information.
This effort may be successful if the target victim is distracted or overwhelmed by the notifications, or if they are misinterpreted as valid authentication attempts.
In September 2022, a large MFA fatigue attack, sometimes known as an MFA bombing, attacked the ride-sharing behemoth Uber. Uber blamed the incident on Lapsus$, a hacker gang that began by stealing the credentials of an external contractor. Furthermore, early investigation suggested that the Uber hack was the consequence of an MFA fatigue attack.
The prevalence of MFA overload and its consequences
Social engineering attacks are increasingly being used by cybercriminals to get access to their targets’ critical credentials. Hackers employ social engineering to exploit human error in order to obtain private information.
MFA fatigue is a tactic that hackers have used in recent years as part of their social engineering assaults.
Because the hackers are depending on their targets’ lack of training and understanding of attack vectors, this is a simple yet successful strategy with disastrous effects.
Because many MFA users are inexperienced with this type of attack, they may not realize they are approving a bogus notification.
Because MFA notifications repeat repeatedly, a user may become fatigued and mistake it for a bothersome system fault, accepting the notification as they did previously. Unfortunately, the hacker has access to the user’s vital infrastructure because of this.
Because MFA bombing attacks have evident negative consequences on companies, firms should ensure that their key infrastructures and resources are secured from internal and external threats.
These attacks can harm a company’s reputation and erode customer trust, resulting in customer and sales volume loss. Furthermore, MFA assaults might disrupt your operations, result in the loss of critical information, and change your business processes.
Alternatives to MFA Fatigue
Overall, IT security is critical to the safety of your firm. Implementing cutting-edge security technologies can protect your company from persistent cyberattacks. Some of the things you can take to avoid MFA fatigue are as follows:
Because it uses at least two factors to prove a user’s identity, this method can help reduce MFA fatigue. These include knowledge (what you know), ownership (what you own), and inheritance (something you are).
Requests should be limited.
The goal here is to keep the number of MFA queries per user to a minimum. When a particular threshold is reached, the account is locked and the problem is escalated to the domain administrator.
This is possible with technologies like the Specops uReset Active Directory self-service password reset solution. This system provides customers with a self-service portal via which they can reset their passwords or unlock their accounts using a star-based system that gamifies the verification procedure in a way that encourages end-users to use it.
Education of end users
The majority of cyberattacks are the result of a lack of information. MFA bombing attacks can be avoided by educating your users about security dangers. Furthermore, this education raises your consumers’ awareness of their own regular cyber security activities.
Specops offers self-service password reset software that lets organizations reduce suspicious reset calls to the IT service desk for better security against MFA-related cyberattacks. End-users can securely reset their Active Directory credentials regardless of location or device using Specops solutions, giving them control over MFA alerts and when to anticipate them.
Security is critical for your day-to-day business operations. As a result, evaluate the safety of your organization’s key infrastructure and make it your top priority.
With cyber dangers emerging at nearly the same rate as new digital trends and corporate practices, staying one step ahead is essential. You can accomplish this by utilising SpecOps’ enhanced password security solutions.