2FA is over. Long live 3FA!

TedCruz

Level 5
Thread author
Aug 19, 2022
176
In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. The recent Uber breach is just one example, but we see many campaigns circumventing 2FA on various platforms.

OPIS


For over a decade now, implementing 2FA/MFA has been considered the best-practice solution organizations must implement against account hijacking attacks, whether those were based on phishing, brute force, password theft, or any other fraudulent way of obtaining login credentials. And while industry experts warned of potential abuse of those mechanisms for years, little notice was taken. Most knew that attacks against 2FA were possible, but thought they were too complicated to execute and didn’t really happen in the real world.

In time, though, instances of successful attacks became more common. What changed to make that happen? In one word: motivation.

When 2FA was implemented by only a small number of organizations, attackers did not see a pressing need to develop techniques and skills to circumvent it. They were simply focused on the rest of the world—those that had not yet properly implemented 2FA. But in the last couple of years, we’ve seen a huge increase in adoption of 2FA, driving the motivation for attackers to build the technology to bypass 2FA. Furthermore, the increased move to cloud and SaaS applications, combined with single sign-on, has turned identity into the new perimeter, making the potential gain of account hijacking even higher than before.

It is important to note that while the industry frequently uses MFA and 2FA interchangeably, MFA is a general concept of multifactor authentication, that is, using more than one factor to authenticate a user. What most organizations have in place is 2FA — the minimal viable implementation of MFA, utilizing the existing username/password mechanism with an added second factor, such as an OTP (one time password), authentication app push approval, or SMS-based tokens (similar to OTPs).

The problem with this type of second factor is that it is not necessarily stronger than a password; it is only timelier. Passwords are a secret that provide decent protection against identity theft – if they remain secret. Attacks like phishing, brute force, or SQL injection on databases with passwords are all designed to do one thing: discover the password so that it can be used by the attacker. One-time passwords are similar: If the attacker knows the one-time password, they can use it to authenticate. The protection provided by it is therefore related to the time window during which it can be used: A normal password lives for weeks and months, but a one-time password is valid for seconds or minutes.

Similarly, an app push approval uses strong protocols to validate a one-time token, but an attacker using that validation in the right time window will still be able to take over the account. For some years, this seemed like a reasonable approach. Attackers would harvest passwords for a period of time, store them offline, and then use them at a later stage, making any potential token they had stolen obsolete.

But with time being the only limiting factor, as motivation grew, attackers developed the technology and the practices to carry out those attacks in near real-time, allowing them to hijack accounts much the way they did before 2FA was implemented.

The two most common techniques today for 2FA circumvention are Adversary in the Middle (AiTM) and MFA fatigue.

  • AiTM is a technique used by attackers for doing phishing attacks via a proxy. Rather than harvesting passwords and trying to use them later, the attackers proxy the attempted login of the user, including the second authentication factor (whether it is an OTP or MFA push), and create a new session for the attacker, in real time, that is then used for future access. With MFA sessions being valid for 14-30 days in most cases, this allows the attacker a substantial amount of time to use the hijacked account. We have seen this in multiple campaigns, including setting up a new MFA authenticator app to maintain persistency beyond the MFA session validity duration. It is important to note that while this may seem more complicated, there are now at least three popular phishing kits (and a custom one) that automate this process for the attackers.
  • MFA fatigue is a technique that can be used against MFA challenges via push notifications in your MFA authentication app. In this scenario, the attacker can first obtain the username/password using a traditional approach (phishing, theft of password database, and so on), before launching the MFA attack itself. The attacker then starts attempting to log in with the stolen credentials. Every time the attacker does so, the user gets a push notification on their app asking them to verify the authentication. For many users, this is seen as a glitch in the system, and they either approve it right away, or approve it at some point as they get tired of the notifications and pressing No every time.
What this means for our industry is that the efficacy of existing 2FA solutions is being nullified. It is safe to assume that almost all phishing attacks will soon be powered by these new frameworks for circumventing 2FA, and we will be back to where we were a few years ago, with only a username and password inefficiently trying to stand between attackers and our data and systems.

The solution is to embrace MFA more broadly, moving to three-factor authentication (3FA) by adding an additional factor, but this time one that cannot be used by the attacker to authenticate from a foreign device. This can be done by tying the user authentication to a specific device or hardware token.

Hardware tokens that support FIDO2 protocols guarantee a signature on the authentication of the device that is bound to the specific host used and the specific server being accessed, making its reuse by attackers impossible. But organizations do not have to go and purchase a dedicated hardware device for it. Similar implementation of FIDO2 (or a similar approach) can be done on the user’s devices directly, effectively binding the authentication to specific devices, making it impossible for an attacker to create a new session from a new device.

This capability is offered by the two largest identity providers, Microsoft 365 and Okta.

With Microsoft 365, Conditional Access (which is the main way to manage 2FA/MFA) can be configured to allow connections from devices enrolled in InTune (Microsoft’s MDM) only. If properly configured, this makes AiTM or MFA fatigue attacks redundant. Microsoft also offers integration with Microsoft Hello for secure FIDO2 connections (from Windows machines at this point).

Okta also offers similar capabilities through integration with 3rd party MDM solutions (as well as with hardware tokens).

There is, however, one caveat. Very few organizations have implemented these solutions to date, so they are still somewhat immature. We’ve been seeing organizations trying to implement those solutions, and they are encountering substantial overhead, user frustration, and lots of edge cases with no solution to date. Hopefully, as the industry increases the adoption of these 3FA solutions, the vendors will allocate the resources needed to perfect them, making them the default way to go and challenging attackers to come up with new techniques.

It is now clear that implementing third-factor hardware/device-based verification is the only way for organizations to protect themselves from phishing and other account takeover attacks, and therefore… 2FA is over. Long live 3FA!
 
F

ForgottenSeer 95367

"Every time the attacker does so, the user gets a push notification on their app asking them to verify the authentication. For many users, this is seen as a glitch in the system"

Security failures are always a people problem.
 

TedCruz

Level 5
Thread author
Aug 19, 2022
176
"Every time the attacker does so, the user gets a push notification on their app asking them to verify the authentication. For many users, this is seen as a glitch in the system"

Security failures are always a people problem.
Would you like to authorize an Independent Nuclear Missile Lunch?

NO

Would you like to authorize an Independent Nuclear Missile Lunch?

NO!

Would you like to authorize an Independent Nuclear Missile Lunch?

NOO!!!

Would you like to authorize an Independent Nuclear Missile Lunch?

FINE JUST LEAVE ME ALONE!
 

Scirious

Level 2
Feb 22, 2022
91
Would you like to authorize an Independent Nuclear Missile Lunch?

NO

Would you like to authorize an Independent Nuclear Missile Lunch?

NO!

Would you like to authorize an Independent Nuclear Missile Lunch?

NOO!!!

Would you like to authorize an Independent Nuclear Missile Lunch?

FINE JUST LEAVE ME ALONE!
In such cases changing the password solves the problem without needing to authorize.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Passwords were never a problem to begin with, but people who used weak ones and webpages, that stored them in txt and on unsecured servers, so they leaked easily.
The best part is that people have recently problems to login using Windows Hello, MS suggestion was to use a password. Good luck to those with passwordless accounts.
 
F

ForgottenSeer 95367

Would you like to authorize an Independent Nuclear Missile Lunch?

NO

Would you like to authorize an Independent Nuclear Missile Lunch?

NO!

Would you like to authorize an Independent Nuclear Missile Lunch?

NOO!!!

Would you like to authorize an Independent Nuclear Missile Lunch?

FINE JUST LEAVE ME ALONE!
Funny, yet so true.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
People will get fatigue after many times of authentication uses and will simply type YES to everything they see on the screen. Imagine you need to authenticate 10 times before allowing access. So there goes the MFA

As for hardware authentication the weakness lies in the hardware company itself. I think there was a case long time back where such a company was hacked. So hack the company itself to steal the users data instead of hacking your authentication.
 

mkoundo

Level 8
Verified
Well-known
Jul 21, 2017
358
Surprised the article didn't mention yubikeys:


Is it possible to make your tpm chip a general purpose hardware authenticator?
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
Surprised the article didn't mention yubikeys:


Is it possible to make your tpm chip a general purpose hardware authenticator?
I just tried using my yubi key with my win10vm, and I can't make the vm detect it... :mad: but when I used it on host, yubi worked great. must be another one of those vmware deep tweaks... :rolleyes: typical usb I get a popup | host / guest?? but don't get that choice with yubi & doubt I can dedicate a usb port to vm. probably drifting OT... ...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top