One of the greatest disappointments relative to our present authentication control environment is that despite the initial promise of Multifactor Authentication (MFA), it is frequently defeated by attackers today. Out of channel validation was developed to be an improvement to the reliability of identity verification, yet security evangelists note how severely broken MFA is at this point and yet it’s still heavily leveraged.
Today, it's suggested to be one of the greatest points of exploitation occurring in the threat landscape. You’ll always hear the “human is the weakest link” cliché, and this may be a considerable proof point that exists to validate this case. In fact, the minimal effort to overcome current industry standard controls for resetting passwords or validating account access from a new device (as two simple use cases among many) has become such a low hurdle and so easily exploited that even teenagers are bypassing it. So how exactly did we arrive here?
First, we started this migration to SMS as the primary outbound MFA mechanism as we collectively embraced the “mobile first” strategy a decade ago. Device-centric MFA does continue to have merit, as inherence for a device can be reliable. However, a one-time passcode (OTP), sent over SMS, which itself is an unguarded channel so exploitable in practice, that NIST warned about this method back in 2016 and suggested “deprecation” of the practice.
Nevertheless, it’s likely now the most traversed channel for MFA given the ubiquity of mobile devices and the ease of adoption, but it was weak since the moment of deployment. Mobile network operators never consented to the use of their channel to be leveraged in this capacity, and their infrastructure was not built out in the support of it. Further, case in point, bad actors can and do spoof phone numbers, and masquerade as any entity, creating an air of legitimacy and obfuscation. The residual is that the abuse of SMS for MFA has become so common that it frequently needs to include language directing the person at the end of the message to not share the code to anyone asking for it (and yet, they still do!).
This is one of the most concerning fraud exploitations that exists today, in how consumers are socially engineered to reveal MFA codes to bad actors via phishing methods that have been persistent for years. It can be challenging for consumers to identify the distinction between a social engineering event where an MFA token is requested and a legitimate one, and victims frequently take the bait. As a result, we have collectively found ourselves in a position that is unreliable, unsustainable and unenviable. The evidence in support of this is that we have breaches at major corporations and exploitation of consumers occurring at such an alarming frequency with this path of entry as a common vulnerability.
However, phishing doesn’t end at the SMS channel, and email used as MFA is also heavily problematic, relying on the controls of the email service provider and exposed to the end user’s poor security hygiene. A message to email as a mechanism is frequently as, and sometimes even more exploitable than SMS, as many email service providers don’t mandate MFA, so this channel is easily defeated. Recently, even brute force methods to annoy users into approving MFA have been effective and created large cybersecurity events at major service providers
With so much riding on these controls, where critical access points are guarded by rusted and dilapidated gates, an environment exists for the creation of tools to exploit these gaps. Malware, downloaded by end users and masquerading as utilities or games, have long had the capability to bypass and/or forward SMS codes off to other locations, and phishing/social engineering of these codes is so common, that we need a rethink of OTP delivery authentication – and fast!
There is an emerging effort to overcome end user compromised MFA controls presently and arrive at something that may resolve the pressure to acquire a more reliable technology which realizes the upside potential that MFA was intended to perform.
So where is the solve? How do we get to a malware, phishing and social engineering resistant environment? While the FCC’s recent proposed regulations requiring mobile carriers to act in reducing the number of spam and spoofed text messages at the network level is a move in the right direction, that is still in the very early days and doesn’t work towards solving the actual problem. Some sanctioning/standards bodies have also been at work on this. The FIDO Alliance (Fast IDentity Online) has been pioneering a standard for reducing overreliance on user-based authentication controls. Essentially, this method extends strong authentication protocols to other form factors in authentication such as FIDO2/WebAuthn. This is likely the fastest pathway to get to the best results, with inherent device and biometrics ushering in tighter control with local security keys. But widespread adoption will take a while to filter out to reach critical mass among moat stakeholders in the totality of our infrastructure.
Today, the best transitional solutions to maintain our control environment and hold us up on this path to password-less authentication may be leveraging in-app MFA, where for example, your online banking application can assist with your MFA token rather than sending it through SMS or email when you interact with a contact center or fraud department. This is not a perfect solution and may still carry with it a significant degree of end user social engineering risk. It still leaves us needing a stronger back-end control framework.
Fraud prevention solutions, which can identify/alert or decline a transaction that carries the potential of risk associated with an unusual login, payment or non-monetary event can be an effective layer to reduce the potential of unauthorized access. Behavior is a highly predictive determinant of identity, utilizing many of the same elements that we intended to derive effective authentication from; what you know, what you have, who you are, etc. We can add this as a frictionless and transparent element that creates confidence and safety in our authentication frameworks.
Leveraging behavioral biometrics to identify high risk sessions and create the necessary back-end controls that elevate visibility to anomalous transactions can be effective at the reduction of risk as we forge our way to a more sustainable authentication framework. What we have learned as an industry is that humans will always be targeted and frequently will be overcome, but that doesn’t mean we cannot leverage the things that make them human to prevent them from becoming victims.