Multi-factor authentication (MFA) is becoming a mandatory security requirement for all businesses across all sectors. The most recent example is the new version of PCI DSS 4.0, in which the deployment of MFA for everyone accessing cardholder data is now a requirement. This development was preceded by the Salesforce MFA mandate and the White House Executive Order, which includes MFA as a cornerstone of cybersecurity. The question now is not whether to deploy MFA but rather what kind of MFA is sufficient for a particular application? Should businesses choose fast identity online (FIDO) over one-time passcodes (OTP) as their authentication method?
SMS-Based OTP
One method of MFA is text or SMS-based OTP. The National Institute of Science and Technology (NIST) and the EU Cybersecurity Agency (ENISA) have noted that SMS is the least secure of all authentication methods. NIST takes a guarded approach, referring to SMS-based authentication as restricted, meaning it is less secure in today’s threat environment. ENISA takes a firmer stance, advising that organizations avoid using SMS and recommending FIDO2 as the preferred MFA mechanism.
Why Is SMS a Problem for MFA?
Research has demonstrated lower cost in time and effort of MFA compromise by redirecting or intercepting SMS messages en masse. This weakness in the SMS signaling protocol was responsible for at least one bank breach in 2017. Five years on, some organizations are still using SMS-based authentication. While a password coupled with an SMS-based code has a much higher level of protection than passwords alone, it doesn’t have the additional strength inherent in the device authentication mechanisms offered by other systems, such as FIDO or smart cards.
Phone-As-A-Token OTP
Instead of relying on insecure SMS-based authentication, many providers leverage smartphones as a token for software authenticators. Phone-as-a-token for PUSH authentication is currently the preferred method because it offers a low total cost of ownership (TCO) and higher accessibility due to the pervasiveness of smartphones. However, even PUSH authentication or OTP authenticator apps have drawbacks.
First, there are professional environments where mobile phones are not allowed, such as factory floors and various legal and government offices. Second, there is the connectivity issue – these applications cannot deliver the OTP without having access to the internet. Finally, attackers are eager to exploit the possibilities of breaking this authentication method. Roger Grimes of KnowBe4 demonstrated that OTP is not phishing-resistant and that attackers can intercept OTP authentication through man-in-the-middle attacks and social engineering methods, primarily phishing. There is also the danger of smartphones being infected with malware or jailbroken, compromising the integrity of authenticator apps installed on the phone.
Attacks Against MFA
Cyber-criminals have become more adept at undermining MFA through social engineering. For example, the Lapsus$ criminal group executed MFA prompt bombing. Through this technique, Lapsus$ issued multiple MFA requests to the end user’s legitimate device until the user simply accepted the authentication, allowing the group to eventually access the account. In this instance, the method of compromise relied on wearing the user down until they approved the authentication request, in essence giving the attacker access to their account.
Towards a Phishing Resistant MFA
Given the vulnerability of PUSH OTP and OTP to phishing and social engineering, both the US Government and ENISA have published guidelines asking organizations to adopt phishing-resistant MFA methods.
In their recent strategy toward zero trust cybersecurity, the US Office of Management and Budget (OMB) notes that phishing-resistant MFA is required for agency staff, contractors and partners. The guidance continues by explaining that phishing-resistant MFA protects those personnel from sophisticated online attacks.
FIDO Is Getting Traction
Similar to the ENISA recommendation of FIDO2, the OMB also suggests that organizations should consider selecting FIDO2 as the preferred phishing resistant MFA method:
- To implement the requirements of the zero trust strategy, OMB says that agencies are required to either deploy the federal government’s personal identity verification (PIV) credentials or support the open web authentication standard, which was the earlier iteration of what is now FIDO2.
- Although FIDO authentication is becoming more prevalent and is more secure than OTP authentication, organizations may not necessarily need to take a ‘rip and replace’ approach to already deployed OTP authentication solutions. Some applications and users, especially those covered by specific regulations, will indeed require phishing-resistant MFA in the form of FIDO or certificate-based PKI authentication.
At the end of the day, MFA is considered by security professionals the most effective way of reducing credential compromise. Organizations should acknowledge the issues discussed above, focusing on implementing authentication schemes that offer their employees better security and an enhanced login experience.
