Tag Archive for: multifactor

Multi-Factor Authentication is Not Foolproof Protection

/in


Multi-Factor Authentication (MFA) has become increasingly common both in business and personal use. Yet, despite MFA providing increased security, threat actors are using the availability of sophisticated technology and even legitimate infrastructure to bypass this and access corporate networks and personal data.

To the uninitiated, MFA is when a user is required to provide two or more verification factors. The most typical type of MFA employed is Two Factor Authentication (2FA), when a user signs on to a site with their username and password and receives a code sent to a secondary device such as a mobile phone, email, or authenticator app. Once this code is entered into the site, it grants access. Until now, this security has been reasonably effective, and therefore users feel assured that it is entirely tamper-proof if the attacker does not have access to the secondary device which receives the code.

However, the bad actors have found ways to bypass MFA, putting network security at risk.

Man-in-the-Middle or Web Proxy Attack
The first technique bad actors employ is a man-in-the-middle (MitM) or reverse web proxy attack. This is when an attacker sends the user a link either through email or SMS that directs them to a phishing website. The link leads the user to a fake replica of a legitimate site – one that is nearly impossible to recognize as not legitimate for the average user.

For example, assume a Chase bank login page employs 2FA (Example 1). The attacker knows that even if they get the username and password, they still cannot access the site. And so, they use a reverse Web proxy between the phishing page and the actual service i.e., the man-in-the-middle.

Once the user enters the credentials, the phishing page will ‘talk’ to the original service, which will send the user the token or code to enter. At this point, the phishing page gets the code because the user enters it assuming s/he is on the official site. This gives the attacker the username, password, and code to authenticate with the real service and compromise the account.

 

Example 1: A phishing site using reverse web proxy to hijack session cookies

Even more troubling, this type of attack is…

Source…

Why It's Smart to Use Authentication Apps for Multifactor Security – ConsumerReports.org

/in



Why It’s Smart to Use Authentication Apps for Multifactor Security  ConsumerReports.org

Source…

Microsoft exhorts enterprises to quit text, voice multi-factor authentication passcodes

/in


A Microsoft executive is urging enterprises to abandon the most popular multi-factor authentication (MFA) method — one-time passcodes sent to mobile devices via text or voice — for different approaches, including app authenticators, that he claims are more secure.

“It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms,” asserted Alex Weinert, director of identity security, in a Nov. 10 post to a Microsoft blog. “These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.”

Weinert argued that other MFA methods are more secure, calling out Microsoft Authenticator, his company’s app-based authenticator, and Windows Hello, the umbrella label for Microsoft’s biometrics technology, including facial recognition and fingerprint verification. It’s no coincidence that Weinert touted technologies Microsoft has aggressively pushed in its campaign to convince enterprises to go passwordless.

More than a year ago, Weinert spelled out how, in his view, passwords alone are no defense against credential theft, but that by enabling MFA, “your account is more than 99.9% less likely to be compromised.” That advice hasn’t changed, but Microsoft’s stance on MFA has now narrowed. “MFA is essential — we are discussing which MFA method to use, not whether to use MFA,” he wrote last week.

Weinert ticked off a list of security flaws in SMS- and voice-based MFA, the technique that typically sends a six-digit code to a predetermined, verified phone number. Those defects, Weinert said, ranged from a lack of encryption — texts are sent in the clear — to vulnerability to social engineering.

App-based authentication, Weinert contended, is a much more secure means to the WFA ends. He then touted Microsoft Authenticator, which comes in versions for Google’s Android and Apple’s iOS.

Source…

Why your password is still important – even if you use multi-factor authentication

/in
Why your password is still important - even if you use multi-factor authentication

Just because you have two factor authentication doesn’t mean you can afford to be sloppy with password security, explains guest contributor Bob Covello.

Graham Cluley