For all its merits, over reliance on Multi-Factor Authentication (MFA) has become a real security problem. Like all security controls, MFA suffers from limitations, but unlike most security controls, MFA’s limitations are less well understood by security teams, which has created unexpected risks.
These limitations are both technical, and user-centric. As seasoned security strategists, practitioners, and red team hackers ourselves, our team has done a lot of work to uncover potential weaknesses in MFA systems for our clients.
MFA has evolved into a definitive root of trust, an assumption that creates potential risk. While effective in the scenarios for which it was intended, MFA is not a silver bullet, and its use as such actually creates unintended security posture weaknesses.
MFA is designed to solve a specific problem
MFA emerged to address specific authentication risks, not to act as a comprehensive protection strategy by itself. It helps to address the issue of weak, leaked, or stolen passwords by adding an extra layer of verification during the login process. This additional factor, something the person has (e.g., security token, phone) or is (fingerprint, facial recognition), makes it more difficult for attackers to gain unauthorized access even if they crack, steal, or find a password.
Conceived in the 1980s, we saw broad adoption of MFA in the 2010s as part of a security posture. Early adoption happened in enterprise organizations and has now moved to more mid-sized businesses as well.
Is MFA an End-to-End Solution?
At the exact moment of authentication, MFA can reduce unauthorized access risks, but MFA validation is temporal, and evidently not foolproof. Security architects must recognize MFA as one layer in a security stack. SMS, app-based, and hardware MFA each have weaknesses, malware on a device can compromise app-based tokens, while SMS codes are susceptible to interception, and redirection.
The more concerning risk with MFA is the interval between authentication prompts. Nothing but an easily bypassed token is assuring you are the intended person on the intended device between prompts. The primary mitigation technique is to shorten timeouts for frequent re-authentication, or to try to implement adaptive authentication.
The problem is that shortened timeouts and rechallenges create a false sense of security; attackers possessing a token can simply exploit active sessions with the privileges afforded to the user. MFA token theft is the modus operandi of the phishing-as-a-service (PhaaS) platforms popular with criminal groups, such as Tycoon
Frequent MFA prompts can lead to complacency or workarounds, negating its effectiveness, after all there is only so much inconvenience that’s tolerable. Paradoxically, the more secure that MFA appears to be, the greater unexpected risks are created by the poor user experience. This Faustian bargain shows the fundamental limits of relying solely on MFA as a comprehensive security pillar.
How does MFA still expose significant risk?
Periodically rechallenging the user, such as by tightening session timeouts, offers limited protection: Verification with MFA is inherently temporal. Attackers with access to the workstation simply lay in wait until the authorized person re-authenticates. Waiting for an active session, or creating a clandestine session with the freshly minted MFA authentication token, is simple, and the most consequential hackers tend to be patient.
Session hijacking bypasses the MFA protection and leads to especially risky exploits. Attackers now have the opportunity for lateral movement to access neighboring and remote systems on the network or in the cloud, which in turn are subject to the very same post-authentication exploit in a “rinse and repeat” fashion until the attackers are able to access sensitive systems or critical data. Attackers often refer to these common, stealthy tactics to living off the land or land and expand.
Let’s take a moment to recall the intent of MFA: It’s to confirm that the intended person is the one in the active session. But the real guarantee MFA affords is alarmingly weaker than that.
Tight timeout windows makes us feel100% secure. However, when you weigh the time when an MFA challenge is used (e.g. once every 30 minutes) versus active session time (the remaining 29 minutes), 97% of the session is exposed.
Can we Fix MFA with Continuous Authentication?
Continuous authentication complements MFA, rather than replacing it. In theory, continuous authentication sounds alluring since the concept appears to reconcile the discrete authentication checks we are used to with protection for the entire session duration. In practice, however, continuous authentication is also implemented through additional checks to confirm the person’s identity in the active session. This is still open to vulnerabilities because it assumes all commands created during active sessions are valid.
Doing additional user-centric validation still leaves the door open for attackers to bypass the protection you have with MFA. Re-authenticating 2FA credentials still assumes the person at the keyboard is the one doing the input between authentication prompts. This is especially vulnerable where RDP, SSH, VDI, and other remote desktop access protocols are available.
How do we handle continuous authentication while observing the more secure practice of assuming a system is breached? This is where we introduce the need for validating both the person, and their intent.
This is where intent-based authentication security becomes the new front line defense.
Moving to Intent-based Authentication Session Security
Intent-based authentication differs in a slight, but very important way from continuous authentication.
The only way to solve the problem is to ensure the right person, with the right intent, is using the right device, at any time during the session. It’s about confirming identity and the intent of the commands. Is your authentication actually authentic? In order to answer this we need to understand what your authentication is actually confirming.
Intent-based authentication is built on the principles of assuming that, when the device is compromised, established login sessions are easy to hijack, and that attackers and authorized employees can work in parallel. From this perspective, it is imperative to move the line of defense deeper than just the initial login.
This changes the strategy to capture the real-time intent of session activity down to every input: keystroke, mouse click & touchpad press. By monitoring where these inputs are coming from, we can definitively conclude when commands were unexpectedly created remotely, which is an extremely high confidence signal of device compromise in conjunction with attempts to move laterally.
The reason why this approach is so accurate is because there is no correlation between compromising the software on a system and physically compromising the device. Hence, when input is created locally on a workstation, it is a strong sign that the authorized person created that input. Furthermore, physical input is a completely different kind of verification. In conjunction with traditional security techniques, it creates defense in depth because it does not share the same Achilles heel that network segmentation, SSO, MFA, and PAM have of assuming the device is not compromised.
Just a few of the top advantages of an intent-based authentication methodology include:
- Securing the full session – Attackers can’t work sequentially with authorized personnel
- Attestation for every command – Attackers can’t work in parallel with authorized personnel
- Low-friction user experience – Integrates into the flow of work without requiring complex processes for personnel.
- Undetected ransomware protection – Block automated scripts that seek to spread malware/ransomware through lateral movement
An ideal scenario is where we can validate that every command was created by the authorized person without introducing the friction that comes with continuous authentication and/or repeated MFA prompts.
MFA and Intent-based Authentication Validation: A Stronger Union
MFA relies heavily on the person’s device. However, device compromise is commonplace. Here’s where continuous physical interaction monitoring offers the most effective way to ensure the intended person is the one at the workstation. You are able to continuously assess the intent of commands by determining if the authorized person is creating them.
Intent-based authentication is designed to work alongside existing MFA solutions for a more robust security posture. Layering these methods adds more security to an existing defense in depth approach for day-to-day security. However, security postures need to consider attack scenarios in addition to attack surfaces.
The cyber threat landscape is constantly evolving, demanding a layered security approach. Today, the attack scenario that requires more consideration is when devices are compromised.
The challenge is that traditional identity security layers compress because tokens, keys, cookies, etc. stored in the browser or elsewhere on the device enable attackers to easily hijack active sessions.
Intent-based authentication is the only layer of security that prevents undetected, advanced persistent threats from moving laterally by hijacking authorized accounts. The moment just before critical data is compromised, breached or ransomed, is the most important moment in security. Intent-based authentication has the opportunity to be the new, proven root of trust that can close this security gap.