Just three years ago, attacks on multi-factor authentication (MFA) were incredibly rare. MFA significantly improved identity and access security for accounts. But MFA's effectiveness and growing popularity have made it table stakes for attacking sophisticated companies. With the increasing frequency of token-theft attacks that bypass MFA, organizations can no longer sit tight with MFA and assume their accounts are still protected. Security leaders need a "more than MFA" story now for identity and access security.
MFA Bypass Attacks are No Longer Rare
Microsoft noted, in 2019, that, “MFA bypass attacks are so rare that we don’t have good statistics on them.” With less than 10% of enterprise accounts then using MFA, just implementing MFA was a significant priority and afforded strong protection. It’s no longer 2019, adoption has grown, and adversarial techniques have evolved accordingly. Attackers increasingly use token theft to bypass MFA protections. Microsoft now observes that, between September 2021 and June 2022, adversary-in-the-middle (AiTM) phishing campaigns attacked over 10,000 organizations. MFA is no longer enough – organizations need something more to stay secure.
Token-Based Attacks Bypass MFA
The two most common token theft techniques to bypass MFA are, according to the Microsoft Detection and Response Team (DART):
- Adversary-in-the-Middle (AiTM) attacks: where phishing emails direct users to a proxy server between the user and a target website, such as Outlook.com. While the user thinks they’re visiting the website directly, the malicious proxy server intermediates between the two and captures users’ credentials, and when MFA is enabled, captures the session token as well. The attacker later uses these to access the victim’s email and attempts to commit fraud under their identity.
- “Pass-the-Cookie” attacks: where malware is used to compromise a system and extract browser cookies, which can be passed to a browser on another device and used to bypass security without needing to know credentials such as email and password.
When Credentials are Compromised, It’s Game Over for Any Organization!
Once identity credentials are compromised, it’s “Game Over” for any environment. Over 60% of breaches resulted from stolen credentials last year, with future years projected to increase. For ordinary users, the risk of business email compromise (BEC) can have significant financial and operational consequences. With administrators, compromised credentials can mean total loss of control of an organization.
With the increasing frequency of token-based attacks to bypass MFA, organizations can no longer sit tight with MFA and assume their accounts are still protected.
Secure Leaders Need a “More than MFA” Story Now for Identity and Access Security
In its recent blog on token-based attacks for bypassing MFA, Microsoft highlights several recommendations including:
- Shortening session lifetimes to limit the time a token can be leveraged – though they note that this will increase the frequency of user re-authentications
- Implementing phishing resistant MFA solutions such as FIDO2, Windows Hello, and certificate-based authentication
- Putting privileged users on segregated, cloud-only identities without a mailbox attached
- Focusing more stringent controls on high risk applications and users such as admins/finance/etc.
Gradient Can Make this Easy
While we agree with the above mitigation steps, Gradient Cybersecurity Mesh (GCM) provides a solution to identity-based compromises. GCM moves from static, long-lived cryptographic keys to secure ephemeral credentials predicated on user and platform attributes – fully automated – without breaking existing protocols.
By being passwordless, Gradient Cybersecurity Mesh (GCM) ensures there are no passwords to steal in the first place. What’s more, by leveraging the hardware roots of trust already present on most enterprise laptops, desktops, servers, and cloud instances, GCM also allows users to anchor said credentials to a particular machine, or machine+user combination, enabling peer-to-peer level secondary enforcement and making the prospect of stolen credentials all but impossible.
And finally, GCM also speaks WebAuthn and SAML protocols (both phishing-resistant forms of MFA) and issues SSH keys, such that any token or credential format can be securely leveraged, across any platform or scale.
GCM ensures a multi-factor authentication process that is simultaneously low-friction for the end-user and resilient to attack.