Evolving the nature of multifactor authentication
In the wake of Twitter’s announcement that it would be turning off multifactor authentication for users who didn’t pay it money to become Twitter Blue subscribers, much of the social media community went into apoplectic meltdown over the security of its accounts being essentially “held to ransom.”
But there are significant alternatives available to multifactor authentication – and also, significant new options to multifactor authentication as we’ve known it so far. We spoke to Field CISO, EMEA at VMware, Scott McKinnon, to explore not only the available options, but also the underpinning philosophy behind a move beyond multifactor authentication.
Multifactor authentication has been seen as a panacea for security. Certainly, industry sighed with relief when it became a commonplace reality. Is it not that sort of panacea? And if it isn’t, why isn’t it, and what can hackers due to compromise it?
Generally, it has been a good thing. Anything that moves us away from relying upon individuals to remember which username for which particular site they had, and the password that they use for that, is a good thing, because as we know, people tend to take shortcuts and use the same passwords across different sites. So anything that raises the security bar a bit from that is a good thing.
However, as with all things, it’s always an arms race where, you know, once the level of defense has become higher, the attackers have to try different techniques to get around it, and multifactor authentication has not been immune from that.
So there have been compromises on channels that provide the second factor in particular.
Social engineering, and other attack-forms.
What we’ve seen are social engineering attacks, where individuals have been targeted and they’ve been tricked into revealing their credentials from whichever method they’re using.
We’ve also seen attacks where just phishing has been used; targeted email attacks where individuals are encouraged to either click on a message or click on a link. There’s also the possibility of adversary-in-the-middle attacks, where somebody is actually sitting in between, able to impersonate one side of the communication to the other.
Those things have definitely weakened the appeal of multifactor authentication. But in particular, to focus on SMS two-factor authentication, there have been a couple of issues that have arisen with that, especially with the duplication of SIMs, whereby the attacker can then effectively receive SMS messages from the legitimate user.
There are also more sophisticated hacks where bad actors have actually gone and compromised the mobile phone provider and being able to associate their SIM card with the victim’s number.
So multifactor authentication has not been without its challenges, but for sure, it’s generally been a good thing to have.
A range of other options.
Is its time over and done with now?
I don’t really think so. I think that what we need to do is think about those multiple factors and acknowledge that there are different ways to do it. SMS has been one of those ways, but there are there are many others, so we’ve seen the development of things like multifactor authentication apps, and multifactor authentication hardware devices. You know, there are many examples of hardware keys.
But also there are other ways of going about it, like biometrics – some laptops and some phones now offer the ability to read your thumbprints or use facial recognition to authenticate users, so I think that the concept of multifactor authentication is sound, for sure. It’s just really that we need to focus on making sure that the factors that are employed are still appropriate.
And I would say we have to consider the risk landscape in this as well. So, for instance in the Twitter case, individuals are individuals, and social media is important to them, but they’re not going to be able to deploy sophisticated identity management tools in the way in which enterprises can and do. It’s really about having a balance between which factors are appropriate for the service that’s being consumed.
What else is available? As you say, there’s biometrics, and hardware keys and the like. Anything else that looks promising?
There are other things that can be done, yes. Rather than having to create multiple accounts different social platforms, these days browsers are able to suggest strong passwords for you, that can then be saved effectively in the browser vault or in a key chain protected by your cloud provider. Even email can work as a second factor and can provide a degree of protection. Always assuming that the whole device has not been stolen or compromised.
Is it becoming a question of how safe you need to be and how much you’re willing and able to spend in order to make that happen?
Exactly, yes. The IT needs to be appropriate to the risk and of course with individuals’ massive consumption of these social media apps, it’s not viable for everybody to go and buy a hardened mobile device that has all of those applications available on it.
But devices do have TPMs (Trusted Platform Modules) on them. So there is a hardware root of trust available to people. But I think as long as people also have some judgment as well and use some vigilance over their consumption, they should be relatively safe.
Have you… erm… met people?
Of course everybody’s busy, we’ve got lots of things going on and it’s easy to get complacent. But I think that is one important piece of advice: to think about “What is this that I’m receiving? Where did it come from? Is this within the realms of normal and expected transactions that that I would have?”
And then if it’s not, take a degree of caution with that to protect yourself.
Again, not to be tediously flippant, but as things stand at the moment, do we trust the user to be that vigilant? Or, for instance, are there benefits of working for a company that gives official training in vigilance as part of their cybersecurity approach?
Definitely. I mean, from our corporate point of view, one of the most important things about cybersecurity strategy is to have that awareness. In our company, as I’m sure in many others, it’s mandatory every year for you to go through cyber-awareness training, where you’re taken through the risks, so effectively you know where you could be vulnerable, and you know to think about what you’re doing.
And then obviously, companies can place a lot of faith in the assets that they own and the people that work for them.
That level of process, that level of framework is generally not available to the consumer, but lots of us work for corporations. And the training that we get from that perspective, we should apply to our personal life as well.
And obviously, the organizations themselves should be upfront and transparent about the risks. And I think, to be fair, that you do actually see that from these social media platforms, warning people to be careful.
In Part 2 of this article, we explore the possible future beyond multifactor authentication – and its potential, as in the Twitter case, to be used as a monetizable asset.
9 June 2023