Why moving to phishing-resistant MFA is urgent
Not all emergencies are heralded by lights and sirens. The current emergency started with a few attacks that were able to bypass the push notifications, one-time passwords, and codes and magic links sent via SMS or email as part of legacy MFA. Attackers quickly learned how and created new phishing and social engineering tactics to get the information they needed to bypass MFA security measures. Old school MFA is now being actively attacked and bypassed at scale.
How does that constitute an emergency?
MFA is currently considered the base requirement, or “standard of good practice,” for securing resources by most insurance companies. They are requiring companies and organizations to implement MFA to qualify for new or ongoing cybersecurity policies. While some security may be better than none, relying on ineffective, phishable MFA is becoming the equivalent of tying a string across a doorway and expecting the thieves to see it as a deterrent.
On the other end of the spectrum, the US government is setting a precedent for strong security by requiring phishing-resistant MFA for all government agencies and entities working with the government. Phishing-resistant MFA is no longer an option, it’s a necessity. And choosing to do it correctly now could save your organization from major financial losses, fines, and litigation in the future.
(Old school) MFA doesn’t cut it
You need to protect your resources and the MFA nearly all organizations are using today is completely inadequate. Recent attacks, including those against Uber, Twilio, and Okta (0ktapus), show that adversaries are using readily available tools and techniques to bypass legacy MFA. These attacks are happening at scale in the wild today.
In July 2022, Microsoft reported a large-scale phishing campaign that uses adversary-in-the-middle (AiTM) phishing techniques to steal passwords, hijack a user’s sign-in session, and allows the attacker to skip the authentication process even if the user has enabled MFA.
Other attacks against Coinbase, SolarWinds, and Google, show the vulnerabilities of existing MFA. And these types of attacks aren’t limited to skilled attackers. The process employed in the phishing campaign reported by Microsoft can be automated with the help of several open-source phishing toolkits, including the widely used Evilginx2, Modlishka, and Muraena. Other large-scale phishing attacks are using bots to target Apple Pay, PayPal, Amazon, Coinbase, and bank accounts.
Phishable MFA is no longer adequate, so why are so many companies still using it?
If you were shopping for cyber insurance policies five years ago, security requirements weren’t a huge part of the equation. That changed with the rapid, and expensive, onslaught of ransomware attacks. Loss ratios for cyber liability and security policies rose dramatically to 72.8% in 2020, an increase of 25% over the previous year. This prompted immediate action from the insurance industry.
While the loss ratio decreased to 65% in 2021, premiums and policies sold continue to increase. So do the number of attacks. Because of this, the insurance industry has become more stringent in their requirements, with MFA as a minimum standard. They also usually require MFA for all applications, rather than a few critical systems and internet-facing remote access. In addition to the implementation of MFA, the policy carrier expects companies to prove they’ve implemented the required controls.
Cyber insurance policies are big business for insurance companies, but they are becoming an absolute necessity for organizations. Unfortunately, the legacy MFA the policies require is inadequate when it comes to preventing attacks. The insurance industry will catch on quickly, and likely pivot to requiring modern, phishing-resistant MFA.
Given the onslaught of attacks, and the new tactics, techniques, and procedures (TTP) and open source tools that allow attackers to bypass MFA, the US government has mandated that all agencies move away from weak MFA in identity and access management. As far back as 2017, NIST called for avoiding MFA requiring a code or call sent to a second device. NIST standards clearly state, “Use of the PSTN [Public Switched Telephone Network or a phoneline connection in human-speak] for out-of-band [authentication] verification is RESTRICTED.”
On May 12, 2021, President Biden issued an Executive Order on Improving Cybersecurity. The Order provides a mandate requiring the federal government to make “bold changes and significant investments” to its security infrastructure while partnering with the private sector to accomplish this goal. One of the primary points of the order is the implementation of zero trust security.
In response, on January 26, 2022, the Office of the Management and Budget (OMB) issued the memo, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The memo sets the groundwork for the creation of the previously mandated zero trust architecture for federal agencies, with the goal of meeting the objective within two years, by the end of 2024.
Three key takeaways from the memo address MFA:
- All multi-factor authentication (MFA) is NOT created equal. The memo explicitly states that passwordless MFA should be the standard and agencies “must discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.”
- Phishable MFA factors should not be used. The framework states that for “agency staff, contractors, and partners, phishing-resistant MFA is required.” “Phishing-resistant MFA” is mentioned over a dozen times in the memo. It’s time to move beyond insecure factors and focus on implementing secure factors, like biometrics and cryptographic security keys.
- Zero trust will require solutions that provide cryptographic proof of user identity, and limit access to only authorized and secure devices along with the use of continuous authentication. “Every request for access should be evaluated to determine whether it is appropriate, which requires the ability to continuously evaluate any active session.”
The ripple effect of these new requirements will impact technology and services providers who work with the government. It will also quickly spread to the public and private sectors and the use of phishing-resistant MFA will become the new requirement for systems across all industries whether specifically mandated in a regulation, or meeting the standard of due care in legal liability suits. These phishing-resistant requirements will also spread to additional regulations (e.g., HIPAA, PCI, NYDFS, PSD2, SCA, CCPA).
How does this affect you?
Phishing-resistant MFA, the current best practice and the new requirement for the US government, is quickly becoming the status quo. A new ruling by the FTC against alcohol delivery platform Drizly is proof that the new standard is quickly becoming phishing-resistant MFA. This will not be the last such decision, and the ripple effect will continue to spread.
Organizations looking to meet more stringent regulatory standards or insurance requirements should move toward the complete implementation of phishing-resistant MFA now, rather than spending time and money on an outdated MFA that they will need to rip and replace quickly. Better yet, go a step further and implement unphishable MFA (like that offered by Beyond Identity) if you truly want to protect your resources.
- Deploy MFA today. Passwords alone don’t cut it, and your insurance company will make you implement MFA if you want to renew your cyber insurance policy. It will also help your organization avoid legal liability.
- Don’t settle for the lowest standard, deploy passwordless and unphishable MFA. Modern MFA will rapidly become the status quo and a requirement in cybersecurity regulations. You won’t want to rip and replace your phishable solution next year when the regulator and auditors take the US government’s lead and make passwordless and unphishable MFA a requirement.
- Choose MFA that meets the zero-trust requirements. This includes ensuring that the endpoint device can be trusted (evaluated) before providing the user/device access. It must establish high trust in both the user and the device.
- Choose an MFA that is frictionless for end users. Otherwise they may come after you with pitchforks. You don’t have to make the security/usability tradeoff now.