Multifactor authentication – and the dangers of multifactor authentication fatigue
In Part 1 of this article, we spoke to Mike McLellan, Director of Intelligence at the Secureworks Counter Threat Unit about a seeming rise in reports of business email compromise being used against business in 2022 – as revealed by the Unit’s annual report on the cyber-threat landscape. But there’s more to life and cybersecurity than business email compromise and phishing. So while we had him in the chair, we took the opportunity to check in with Mike about a reported rise in multifactor authentication fatigue attacks.
We said in Part 1 that a rise in multifactor authentication attacks by cybercriminals was perversely actually a good thing, because it meant more companies were actually deploying MFA, so it was making the criminals do more work.
Yes – anything that forces them to do more work to get access feels like progress.
Alternative multifactor authentication methods.
We’ve been talking to people recently about the idea of using new forms of MFA, be it hardware keys, be it biometrics. Is that feasible in the longer run as a way of increasing that workload on the criminals?
Yeah, there are plenty of sort of very secure methods – as you say, there are hardware keys, that idea that you physically have to have a piece of technology in front of you.
I think we will continue to see the options get more and more sophisticated and harder and harder to bypass. The problem with them is still going to be implementation. And fundamentally, the challenge is that organizations have to do this in a way that doesn’t prohibit people from being productive. So anything which is too costly, or too hard, will potentially not be adopted.
We started with “We’ll get a system to send you a text message, you can then put a code in.” Now we see SIM hijacking to try and get around that kind of thing. Then you get to apps where you have to click a button. And then that means you actually have to input a number. So you can sort of see the progression. Where it will stop? I don’t know, but I think there’ll be a sort of cost balance thing for organizations about when is it too expensive and too hard, versus what’s the level of efficacy of that control?
The key really is to keep criminals busy, keep them locked into the challenge of having to innovate. The longer they have to work to get around something, the longer that something is a safe method of ensuring cybersecurity.
Does that make some sense of the growth in multifactor authentication fatigue attacks? People are getting so used to it that they’re conditioned to using it, so making them annoyed or exhausted with it is a way in?
The balancing act.
We’ve seen more and more multifactor authentication being implemented, which is good, but one of the challenges still is that users will do the minimum necessary to be able to do their job, which is entirely understandable.
Usually, we’re not dealing with security people. For the most part, we’re dealing with people who actually have to try and generate money for the company. They want to be able to do their job with as little friction as possible. And any controls you implement, like MFA, do introduce some friction. So obviously, the easiest way of doing it is you just get a little message on your phone saying “Do you accept this access request or not?”
The problem with that is that criminals discovered that if they just kept requesting access, eventually, your average user would probably just click “Yes,” just to stop the alerts popping up, especially if it’s during the morning, and they’re trying to sleep. So it’s no surprise that we’ve seen those kinds of attacks that people call prompt bombing or MFA fatigue attacks both happen and increase.
It comes down to that tricky balance between security and convenience. You can make it harder for those attacks to succeed – you can force people to put in a number that they will be able to see if they will legitimately the one trying to log in.
But again, that introduces that little bit more friction. So it comes down to whether organizations are willing to accept that, accept the cost of the control versus the saving from not having an incident.
A crucial control.
I have long been an advocate of the idea that any MFA is better than none, because still, too few organizations are using it at all. But it’s certainly the case that once you’ve been able to get over the hurdle of actually rolling it out, you need to look at how you can make it that bit more robust, and that little bit harder to bypass, because it is a really important control.
Alongside patching, multifactor authentication is probably the most important preventative control that we know of right now. So getting it rolled out is the first thing. Once you get over that challenge, then you need to think about how you can make it a bit harder for criminals to bypass without making it prohibitively hard for users.
Being in that position of having to think about making it harder is a good problem to have, because it means more and more organizations are getting over that initial rollout stage. But there always needs to be that balance between making it hard for criminals and not making it too hard for legitimate users, because the more exhausted they are with multifactor authentication in their daily lives, the more likely they are to just do as they’re told when prompted – which will let the criminals get access through that user exhaustion.
In Part 3 of this article, we’ll examine the likes of state-sponsored attacks, ransomware, and the rise and rise of post-intrusion malware.