Transcription

Nelson

Hey everyone and welcome to "Cybersecurity MythBusters." I'm Nelson Melo, founding engineer at Beyond Identity, and I'm joined by our cybersecurity expert and product marketing lead, Jing Gu.

Jing

Hi all, get ready to embark on an extraordinary quest as we unveil today's myth. Thomas, a "MythBusters" fan, wrote to us with this question. Dear Cybersecurity MythBusters, in a previous episode, you mentioned push bombing attacks and hinted at single device MFA being a better approach. I've always thought that having a second device in the authentication process was preferable due to the additional security layer.

Is my thinking wrong? Fantastic question. Now Thomas's question touches on an interesting debate of single device MFA versus the traditional two device approach. So to set the stage, let's clarify what push bombing attacks are for our viewers.

Nelson, would you care to explain?

Nelson

Let's do it, Jing. A push bombing attack involves just overwhelming a user's device with a flood of push notifications, which if you've ever gotten, you know, 10 text messages in a row, you know how annoying that can be. This is a classic example of an issue of having multiple devices involved in MFA, how that's not necessarily better. Now let's see if Thomas's belief in a second device is actually a solid defense for this myth.

Jing

Today, we are thrilled to have a very special guest with us who is an expert in this field. He is the perfect person who can help us dissect the myth. Please welcome George Jenkins, a cybersecurity group, and our very own application security engineer.

George

Thanks for having me, Nelson and Jing. I'm really excited to dive into this myth.

Jing

Yeah. So George, let's talk about this. Do you think Thomas is onto something about this single device versus multi-device MFA debate?

George

You know, it's a great question and a common concern in the cybersecurity community. Having a second device for MFA has been a longstanding practice for many, but as technology evolves, we need to reassess its effectiveness. Second device MFA resolves to a possession factor, meaning something you have versus something you know or something you are, and it can be easily added to a traditional authentication transaction. It's primarily why two device MFA options rose in popularity.

Of course, having two mechanisms are better than one when one of those mechanisms can be easily stolen like a username and password, but without any kind of strong phishing resistance, traditional two device MFA solutions like SMS, OTP, and push notifications all failed to close the door on remote phishing attacks as not only can a username and password be stolen, but so can an OTP code. With the commoditization of phishing proxies and phishing as a service providers, using traditional two device MFA poses an existential risk since it fails to fully prevent remote exploitation. Traditional attacks such as adversary in the middle are just as effective when traditional two device MFA is added to the equation.

That's because the second device only provides the possession factor. It doesn't make any kind of assertion on the device that's gaining access, nor does it provide any kind of control verification in the form of device posture analysis. Some traditional MFA services using push notifications have added biometrics in an attempt to provide additional protections, but really they're of limited use if the wider login transaction itself can still be attacked by a proxy like the man in the middle attack. We have in effect made the job of the legitimate user harder while only marginally increasing the difficulty for an attacker.

But modern single device MFA solutions available today provide a much better user experience by streamlining the authentication process, meaning no second device is required, leading to higher levels of user adoption, less friction, and much happier users.

Jing

So would I really be foregoing security if I go from a second device MFA to a single device MFA?

Nelson

Yeah George, what do you think?

George

Not at all. Modern passwordless single device MFA also fundamentally changes the equation by actually preventing phishing attacks, making traditional commodity attacks like password spraying and adversary in the middle useless for the attacker to even attempt. When device posture is added to the mix, devices attempting to log in are also analyzed for vulnerabilities, configurations, and the presence and status of security tools, ensuring the device is well protected and secure prior to being granted access. Modern single device MFA can also use the device's biometric sensor to enhance the login requirements with a biometric check, ensuring it's not just good enough to have the correct device in your possession, but you must also be the correct user.

When paired with passwordless, a system like this is many more time secure than the limited biometrics and traditional two device MFA. Overall, a modern single device MFA solution beats out traditional two device MFA on both usability and security.

Jing

Awesome insights, George.

Nelson

Yeah, get back to protecting us.

George

You got it. Thanks for having me.

Nelson

So there you have it, Thomas. Single device MFA has architectural advantages like being phishing resistant, is much easier for users to actually understand and use, and it's cost efficient, it saves on maintenance and all the costs.

Jing

Thanks for tuning in and if you have any rumors, questions, or myths that you want us to test and potentially bust, be sure to let us know. Bye.

‍