Cyber Defense eMagazine December Edition for 2021

The second kind of MFA is SMS two-factor authentication (the most common OTP delivery method
today), wherein OTP are delivered to a user’s smartphone via text. Again, due to error or malicious
activity, OTP can be delivered to the wrong mobile number or a stolen mobile phone or intercepted via
SS7 network attacks. In fact, the National Institute of Standards and Technology (NIST) stopped
recommending the use of SMS as a strong second factor back in 2016!
And finally, PUSH authentication is another mobile-centric authentication method whereby the service
provider sends the user a notification to their mobile phone. The user then has to tap the screen to get
access to the account. And while PUSH authentication can be used as part of a passwordless system if
the solution is built upon PKI or certificate-based authentication, most PUSH authentication is an MFA
mode layered on top of additional shared secrets, including (you guessed it) a password.
Unfortunately, many hackers have learned how to bypass traditional MFA, including intercepting,
phishing and spoofing SMS text messages; many also engage in SIM swapping, wherein a hacker
impersonates the target to dupe a wireless carrier employee into porting the phone number associated
with their SIM card to a new (malicious) device. Moreover, there also new tools – e.g., Modlishka – that
automate phishing attacks that bypass MFA. It couldn’t be easier for hackers nowadays.
So, the question is, how do we move away from passwords yet still ensure enterprise level
security?
Every individual today is experiencing a certain level of MFA fatigue, then add the fact that every
business, big and small, is maneuvering through the complex authentication landscape, while now
managing the IT challenges of remote work. In fact, enterprise IT helpdesk departments spend more than
30% of their time helping users with password and access issues, which prevents them from making
progress on innovative projects that ultimately move the business forward. So, despite being mandated,
MFA still carries a level of resistance.
The solution? Marrying MFA with passwordless authentication. In short, combining MFA technology with
a biometric login (think facial recognition). This concept removes any type of shared secret and eliminates
the transmission or storing of credentials, thus removing the “man in the middle” and reducing the attack
surface. By simply using a smartphone, security key, or platform authenticator, users can securely log
into a workstation and corporate domain, without ever typing in a password. Passwordless authentication
removes user frustration while ensuring the highest level of password security – by eliminating the
password altogether. Leading companies such as Aetna/CVS Health, most major banks in the United
States, airlines and insurance companies have all adopted passwordless technologies.
Moving forward, passwordless authentication will certainly be the norm, particularly since the Federal
Financial Institutions Examination Council (FFIEC) recently issued a guidance on effective authentication
and access risk management practices for the various parties that access financial institution services
and systems. Microsoft, in particular, is taking the lead in incorporating this technology and making it nonnegotiable
for entities with data to secure (or, all entities). In fact, a Digital Defense Report recently
distributed by Microsoft shows continued attacks from other nation-states that weren’t necessarily via
exploitations of software, but rather well-known techniques such as password spray and phishing. This
Cyber Defense eMagazine – December 2021 Edition 58
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.