Identity & Access Management , Security Operations
Experts: One-Time Passwords Leave Huge Security Holes in MFA
KnowBe4, Visa Execs Call for Change at FIDO Alliance's Authenticate ConferenceMultifactor authentication needs to move away from one-time passwords sent via text message and embrace modern standards that prevent man-in-the-middle attacks, according to KnowBe4's Roger Grimes at Authenticate 2022 this week.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Adversaries can easily impersonate text messages from the likes of Bank of America, Wells Fargo or Fidelity Investments and pretend to initiate a password recovery process on behalf of a well-known financial institution, he says. And when users receive a one-time password via text, they're likely to give the code to whoever's requesting it without verifying the legitimacy of the person making the request (see: The Evolution of Phishing From Email to SMS and Voice Hacks).
"If someone's told you to expect a code, it's really easy to phish them into providing that other service's code," Grimes says Tuesday during a keynote at the FIDO Alliance's annual three-day conference in Seattle.
A text providing a one-time password should include more than just the code itself, detailing both where and how the code is intended to be used as well as a place to report abuse if no request for a passcode was actually made. Including more information in the one-time password text prompt will reduce the likelihood of users getting tricked into entering the code on a man-in-the-middle website, he says.
More than 90% of MFA technology in use today can be easily phished, says Grimes, who urged organizations to look for authentication standards such as FIDO's that thwart man-in-the-middle attacks. Adopting non-phishable MFA is the single most effective step organizations can take to decrease the likelihood of being hacked, according to Grimes, a data-driven defense evangelist for KnowBe4 (see: US CISA Official: 'Forcefully Nudge' Users to Adopt MFA).
One way of avoiding the dangers around texting one-time passwords is through push-based MFA, where users receive a notification that isn't tied to their phone number asking whether they just attempted to log in to a particular website. But Grimes says research has found that 30% of users will respond "yes" to a push-based MFA inquiry even if they weren't attempting to log into anything.
Organizations can significantly strengthen push-based MFA by frequently reminding their employees to deny authorization requests that they themselves didn't initiate, Grimes says. User education can make push-based MFA a more secure method of authentication, but Grimes says it remains highly susceptible to hacking and phishing today.
Many MFA solutions can be hacked 10 or 11 different ways, and the attackers often take advantage of dependencies on third-party sites or components rather than going after flaws in the MFA technology itself, Grimes says.
MFA manufacturers should not only create threat models but also publicly share them with their customers, which Grimes says would be an eye-opening experience for clients who don't realize just how easily the technology can be hacked. Greater transparency around threat modeling would give clients more understanding of just how susceptible the MFA technology they're using is to being compromised. The FIDO Alliance is the only institution that publicly shares its threat model, disclosing both common types of attacks against its MFA system and how they can be prevented, Grimes says.
Vendors must take the lead on incorporating security into the development life cycle and educate their coders on this subject since most colleges and universities don't have courses on developing software securely, Grimes says. Organizations should both conduct an in-house review of their code and hire a new set of external penetration testers every couple of years to ensure the assessments don't get stale.
Manufacturers also should future-proof their MFA tools so that it's easy to change their cryptography once quantum encryption is needed, Grimes says. Both MFA and cryptography should set strict rate limits for bad guesses, locking a user's account after at most six failed attempts to enter a password.
"Make sure you educate yourself and everybody around you about the common types of attacks that occur against an MFA solution, and then how to detect them, prevent them and report them," Grimes says.
Killing the Password Is Good for Business
Government and industry have been pushing conventional MFA with a user ID, password and one-time passcode delivered via text for a decade, but that approach has come to an end.
"From a cybersecurity perspective as professionals, this is totally insufficient and inadequate," Jim Routh, CEO of Jimmer Advisory Services, told Authenticate 2022 attendees Tuesday. "Don't aim for this. This is something you want to move beyond."
Security experts should pursue an authentication framework in which a single digital identity covers all of a user's digital assets regardless of type or manufacturer, Routh says. This isn't likely to happen anytime soon, but Routh says it represents a good aspirational goal for the industry. Routh spent more than a decade leading security at organizations including MassMutual, CVS Health, Aetna and JPMorgan Chase (see: COVID-19 and the CISO: Jim Routh on Leadership).
"We have too many digital products that we have to remember passwords for. So what do we do? We use the same password across different digital assets. And that's the fundamental problem," Routh says. "We're at a point now where end users and consumers don't like the friction of passwords, but criminals like passwords. That's a dangerous place for us to be, but that's essentially where we are."
Advanced authentication offers three benefits to businesses, Routh says. The first is that eliminating password-related friction during the login experience fundamentally changes the relationship between an organization and its digital customers, resulting in higher gross profit and profit margins for the business, according to Routh.
Secondly, the elimination of passwords means the cost associated with handling account takeover for businesses goes away entirely. Finally, the end of passwords means organizations can dismantle the infrastructure associated with supporting password resets, which Routh says will reduce annual operating costs for large enterprises by well north of $1 million.
One way businesses can unlock these benefits is through password camouflaging, in which users are asked to remember the password for a single vault, Routh says. The vault then automatically generates a plethora of unique passwords to facilitate entry into all the tools and services users need to access. This process still treats authentication as an event with a series of steps and a binary outcome, he says.
From there, Routh says, businesses can pursue continuous behavioral authentication, which shifts authentication away from an event-based process and instead uses benign behavioral information about users to identify deviations. Any deviations can trigger additional steps in the authentication process in accordance with a data science model that has been used by banks for decades, according to Routh (see: Authenticate 2022: Experts Share Path to Passwordless Future).
CISOs should urge their organizations to make substantial investments around advanced authentication today since the business case for doing so is rock-solid, Routh says. But history shows most businesses improve their approach to authentication in small increments rather than one fell swoop, according to Routh.
"We want to get to the point where the economic benefit from the elimination of friction to the enterprise eliminates online account takeover," Routh says. "It's in our grasp. We have choices and options to do that today."
Dismantling Barriers to Online Payment Authentication
There's also a business cost for the friction of passwords. Excessive challenges to user identity during the online checkout process lead to 20% of e-commerce transactions being abandoned, says Visa Senior Director Doug Fisher.
Cutting the volume of identity-related challenges online should boost the e-commerce transaction completion rate from just 80% today to ideally 98%, which mirrors the authorization success rate for in-person purchases. Embracing the FIDO authentication standard should reduce the number of identity-related challenges users experience while shopping online, according to Fisher (see: Visa Describes New Skimming Attack Tactics).
"E-commerce fraud has become such a big issue," Fisher told Authenticate 2022 attendees on Tuesday. "The numbers are truly staggering. On the good news side, online authentication has been very helpful in reducing that online fraud. And we do see a lot of global momentum."
Device data, transaction data and account data all flow to the issuer during e-commerce transactions, and too often issuers have to invoke a challenge to ensure cardholders can prove they are who they say they are, Fisher says.
But Fisher says things will change if merchants can prove they've already authenticated the user through FIDO's authentication standard. In such a scenario, Fisher says, the issuer can see a challenge has already been performed, meaning they don't need to challenge the consumer a second time.
FIDO credentials are often used in a third-party context during payment transactions, meaning that the issuer - rather than the merchant - has the credentials that will be used to authenticate the cardholder, he says. Merchants don't want to redirect consumers to the issuer's website to verify credentials and would rather invoke the authentication process themselves to keep control over the user experience.
At the same time, issuers wants their cardholders to have a seamless and effective user experience, which Fisher says could be jeopardized by having to format and render their services across different websites and browsers. The conflicting needs of merchants and issuers can be resolved through secure payment confirmation, which allows merchants to retain control over the consumer checkout process.
What makes this resolution possible is Google Chrome's support of SPC, meaning the browser can be trusted to display transaction details to the consumer without the issuer having to render the interface on the consumer's device themselves, Fisher says. With SPC, the merchant can generate cryptographic evidence that consumers have seen the transaction details, which will also boost consumer confidence.
Unlike traditional one-time passwords - which often allow the consumer to choose between email or text delivery - Fisher says SPC uses a biometric factor to authenticate transactions. The results of the biometric signature are then provided to the issuer to validate that the authentication was properly performed, according to Fisher.
Going forward, he says, he would like to see SPC mature and evolve into a fully developed payment specification. He plans to work with FIDO to enhance the formatting of the data and carry out additional testing and prototyping around SPC that highlight its efficacy for online payment authentication.
"We're really excited about this," Fisher says. "I think it's a really good example of what power comes about when the industry collaborates on issues."