Credential theft is one of the most common ways for adversaries to gain access to critical systems. Multi-factor authentication (MFA) or its cousin two-factor authentication (2FA) are two of the technologies designed to limit this particular type of attack from succeeding.
The idea behind MFA/2FA is a simple one: log in with a password and then the user is prompted to sign in with a passcode or biometric fingerprint scan. Advances in MFA make it significantly harder for threat actors to guess or steal login credentials (ill-gotten credentials play a role in the majority of successful cyber attacks) or otherwise weaponize identity and access.
MFA is by far one of the most successful ways to prevent these types of attacks; it mitigates 34 techniques in the MITRE ATT&CK framework, proving its effectiveness. The mitigated techniques are within multiple phases throughout the MITRE framework, and not just in terms of preventing credential access. MFA also mitigates persistence and lateral movement techniques, thus interrupting many different kinds of attacks.
Multi-factor authentication is thus a key facet of zero trust at the identity level. That said, it can’t protect critical systems on its own; rather, it works best as part of a coherent zero trust approach to security that also features zero trust extended to the endpoint.
Multi-factor authentication is designed, at a fundamental level, to make it harder for credential theft to succeed. In the consumer financial realm, chip cards are arguably the most visible form of MFA. Chip-and-pin authentication, where you need both the card and a PIN has basically eliminated card-present fraud. Criminals can no longer use card skimmers on payment terminals to steal credit card information.
As a result, however, card-not-present fraud online has skyrocketed. The identity and access management industry has also released technologies such as passwordless authentication focused around biometrics like the pattern on a person’s iris or the tone and pitch of their voice. The biometrics market has more than tripled in size since 2018 because biological features are so much harder to steal.
Passwordless authentication replaces easily exploited strings of characters with one-of-a-kind identifiers like the pattern on a person’s iris or the tone and pitch of their voice.
Harder, but not impossible. When Apple released an early version of fingerprint authentication in 2013, hackers found a way around it just 48 hours after release. MasterCard introduced a program that let users take a selfie to authenticate their identity – so hackers simply held up a photo in front of the phone. Authentication based on vein patterns has even been cracked using a wax hand. Biometric MFA may be the vanguard, but it seems to be no match for ingenuity and persistence.
Lingering doubts about the effectiveness of multi-factor authentication are so strong that the FBI issued a security advisory in late 2019 warning that MFA could be compromised in multiple ways it had witnessed first hand.
The FBI still endorses MFA, writing that, “Multi-factor authentication continues to be a strong and effective security measure to protect online accounts.” But they conclude with the caveat, “As long as users take precautions to ensure they do not fall victim to these attacks.”
Multi-factor authentication is surely valuable, given that it can mitigate 34 techniques in the MITRE ATT&CK framework, but organizations would do their users a disservice to think it’s anything more than just one component of a zero trust security strategy.
Multi-factor authentication enforces a zero trust approach when it comes to identity. This is a key pillar in a zero trust strategy to protect the organization against devastating cyberattacks. It isn’t enough though.
Zero trust must extend beyond the identity layer and validation of network traffic to focus equally on endpoints. Breaches like SolarWinds, Kaseya, CodeCov, Microsoft Exchange, and more are able to bypass the zero trust technologies already deployed on networks and at the identity level.
If MFA is bypassed and there’s no additional zero trust technology in place, then that creates a risk of data being exfiltrated and encrypted. Zero trust deployed on the endpoint level means even signed, trusted software is validated before being allowed to run. Threat actors are very smart about including defense evasion techniques and obfuscating their payload to bypass controls at the identity and network level.
Deploying zero trust at the endpoint level completes the strategy that multi-factor authentication allows at the identity layer. The best part of zero trust on the endpoint -- especially the way that Morphisec Guard deploys it -- is that resource-strapped IT teams don’t need to worry about assigning someone to monitor the solution. Morphisec’s zero trust solution, powered by moving target defense, provides that final layer of validation to ensure attacks don’t get through.
Multi-factor authentication is a critical piece of a zero trust strategy at the identity layer. It can mitigate several techniques and limit security risk from an unauthorized access perspective. However, MFA can still be bypassed, and a true zero trust endpoint solution such as Morphisec Guard mitigates this risk. Schedule a meeting to explore the optimal strategy for your business.