MFA – Without the FUD
Ditch SMS-based MFA now – it’s no better than single factor authentication!
Have you seen headlines similar to this recently? A tip: Follow the money. The majority of those articles are paid advertisements for a hardware or software based MFA solution. Here’s an non-vendor biased opinion from the perspective of an attacker who has contended with MFA for many years.
As a penetration tester, and more so, a red teamer, I can say with certainty that SMS based MFA solutions are one of the weaker forms of MFA. I can also say with certainty, a simple SMS based MFA solution makes it exponentially harder to gain access to an account after gaining access to the user’s password.
BLUF (Bottom Line Up Front)
SMS based MFA is still over 75% effective against even the most advanced and targeted of attacks, while remaining one of the most simple, affordable and user friendly solutions. Although users (and admins) should be encouraged to use a more secure solution, app developers should still maintain this as an option for your customers.
Although there are a lot of categories one could organize MFA solutions into, and MFA could include 2FA methods (ex. pin, biometrics, PKI, etc.), I typically think of the following when I talk about MFA:
- OTC (One Time Code) tokens: Typically SMS based. Some have used email based, but that is close to worthless IMO.
- Software tokens: Client side software that generates a OTC and/or prompts the user to confirm access. Most often, this is a mobile app. Examples: Google Authenticator, Duo, Authy, etc.
- Hardware tokens: Devices that must be physically inserted into the computer system and typically must be activated by pressing or touching them in a certain manner. Examples: YubiKey, Titian, RSA, etc.
Interestingly enough, based on my experience from the user and the attacker sides, the harder a MFA solution is to use, the better it seems to be in preventing an attack. As an example, the “push notification” MFA solutions are no better than SMS based at stopping my attack. In some situations, it’s actually easier to gain access to the account that utilizes a push notification solution. The middle of the road MFA solutions, in terms of security and usability, are generally the mobile app based software solutions. Hardware tokens present the biggest challenges, again, from both a user and an attacker perspective.
In addition to my experiences, several organizations have conducted, and publicly released, detailed research showing the effectiveness of various MFA solutions. Example: https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html. The common theme throughout this type of research is that SMS based MFA fairs the worst among MFA solutions, but it still prevents a significant percentage of attacks.
All tokens: There is a common attack that can affect all MFA solutions – social engineering. If the attacker can trick the user to accept the push notification, enter the one time code (OTC), or touch/activate the hardware token, MFA can be bypassed.
Hardware tokens: As mentioned, these are the hardest to use (ex. user loses token) and the hardest to bypass as an attacker. If the attacker has physical access to the user’s belongings (rare), then it is trivial for an attacker to use as they typically have no internal protections to distinguish between a legitimate or malicious user.
Software tokens: Software based tokens have many of the same weaknesses as those mentioned above. In one sense, there is actually a little more protection with a mobile app based solution compared to hardware, as a mobile phone (theoretically) will be locked and require additional work by the attacker to gain access to the token, even after gaining physical access (i.e. stealing). However, that is offset by the fact that it is also easier to remotely exploit a mobile app based solution through malicious software running on the phone that screen scrapes (for example). Great strides have been taken by both the mobile OS and MFA app developers to mitigate these types of attacks, but they do still exist.
OTC: SMS OTCs can be intercepted by the same methods as above, plus various SIM jacking/swapping and porting type attacks. Depending on the carrier, these attacks can be trivial. Even as of today, many of the prepaid carriers use well known porting PINs (ex. 0000, or last 4 of #). This is the reason there is legitimate concern with SMS based MFA. However, ask yourself the question, how many times has your phone been SIM jacked?
Side Note – Misconfigured MFA
Anyone that knows me knows that I cannot talk about MFA without mentioning this.
Using MFA is a must; it is non negotiable. PEN Consultants generates a finding and recommendation on network and web app pentests where non-MFA authentication is found. MFA is not a new thing. If your software is less than a decade old, it likely supports MFA, so there is no excuse.
Whatever MFA solution you go with, it is important to configure it properly. I see MFA misconfigured more times than not on pentests. The most common is the username and password is checked before the MFA token. This leads to two common attacks:
- Brute force, or at minimum, drip and password spray attacks. Your solution must receive the username, password, and MFA token before giving a pass/fail and not make any distinguishment as to which failed. Once I’ve compromised the username+password, I am just one step away from an Account Take Over (ATO) on YOUR app, and possibly already have enough information to gain access to the user’s other accounts (i.e password reuse).
- DoS. Assuming you have a lockout policy enabled (you should), if you do not verify the MFA token BEFORE checking the password, an attacker can easily DoS all of your users without ever needing to bypass MFA. Before is key – not after, not in parallel, BEFORE.
If you are interested to know how your network services and web apps would perform against these types of attacks, but do not have the expertise or resources to do so, contact PEN Consultants today!
Featured image is a derivative work from the following images: Geralt @ https://pixabay.com/photos/smartphone-finger-fingerprint-4562985/