InfoSec Insider

Beyond MFA: Rethinking the Authentication Key

Tony Lauro, director of security technology and strategy at Akamai, discusses hardware security dongles and using phones to act as surrogates for them.

You have to hand it to the cyber-thieves: They have proven extremely adept at defeating security measures once thought reliable. Case in point: multifactor authentication (MFA). While two-factor authentication (2FA) using push text notifications has become the de-facto standard for login security, bad actors have found a variety of ways to circumvent it.

In fact, there is a cottage industry focused on defeating 2FA. Akamai recently published a blog post describing a phishing campaign that targeted banking customers in the United Kingdom by evading 2FA. Researchers from the Global Threat Intelligence Team at WMC recently disclosed that they were tracking a threat actor who goes by the alias “Kr3pto” who builds and sells phishing kits designed to acquire real-time security codes and 2FA data targeting U.K. financial institutions.

Also last summer, two men were arrested and charged with using Twitter employee account credentials to take over several highly visible celebrity Twitter accounts, which they used for Bitcoin scams. A report published by the New York State Department of Financial Services stated that the push notification authentication factor used by Twitter was easily circumvented by the attackers. The report recommended using physical security keys to block such attacks.

A Hardware-Based Approach

Physical security keys introduce a new twist to 2FA. Instead of using a code delivered to your phone, the hardware-based key is a dongle you insert into your company laptop or other registered access device. It generates a unique code when you press a button or biometric reader, authenticating the user.

While some push-MFA solutions may be vulnerable to bypassing, the latest generation of biometric based keys use the FIDO2 and WebAuthn standards. respectively developed by the FIDO Alliance and the World Wide Web Consortium. FIDO2 is based on cryptographic login credentials that are unique for every website. The private key remains on the device, while the public key is sent to the site with which it is registered. Since there are no “shared secrets,” no useful authentication information can be obtained if the site is breached. To use an analogy, it’s like the security in a missile silo, where two separate parties must turn a pair of unique keys at the same time to authorize a launch (a scenario we hope never happens!).

FIDO2 and WebAuthn standards represent smart solutions for authentication, effectively preventing most forms of phishing and other takeover attacks. This includes sophisticated attacks, like man-in-the-middle (MiTM) attacks, where a bad actor intercepts credentials by manipulating or diverting network traffic to a fake login portal. Most importantly, they do not employ passwords, which are a prime source of vulnerabilities.

Cost, Complexity and the Human Factor

But there are some downsides to physical keys. Deploying thousands of these devices across an enterprise is a costly and complex proposition. When security updates are required, there’s no way to release a patch — you’ll have to replace the keys with new ones. Even if the key provider delivers new ones for free, distribution is a logistical headache. Additionally, the list of services supported by physical keys is growing but still limited.

Finally, there’s the human factor: Who hasn’t ever lost or misplaced their keys? In that event, the authentication key would need to be terminated and a new one ordered. A user might wait days before receiving a replacement, locking them out of corporate resources in the meantime. In an enterprise with tens of thousands of employees, misplaced keys could have a real impact on productivity.

Turning the Phone into a Key

There’s another way to provide this strong authentication — one that combines the simplicity and familiarity of smartphone-based 2FA with the robust security offered by FIDO2 and WebAuthn standards. Why not use a device everyone is familiar with and carries with them all the time — their smartphone — to provide strong, cryptographic authentication in a manner similar to a physical key, minus the high cost and complexity?

To see how this can work, it’s important to understand a bit more about FIDO2. The standard involves three actors: The website (known as the relying party or the RP), the browser and the authenticator (the key). WebAuthn is the protocol between the RP and browser; a separate Client to Authenticator Protocol (CTAP), also defined by FIDO2, exists between the browser and the authenticator. The strong authentication actions (register this key, authenticate this challenge) operate between the key and the RP, with the browser passing messages along and adding context.

CTAP defines three transport layers for roaming authenticators: USB, Bluetooth low energy (BLE) and near-field communication (NFC). However, using a transport layer not covered by CTAP is necessary to allow the browser to pass FIDO2 messages over a cryptographically secure channel to the smartphone. This innovation allows the smartphone to be “paired” with the browser over this channel just as a physical key is “paired” with the browser over USB.

The result is a phish-proof solution using the smartphone as the key. So it’s “missile silo” secure. But what about the other side of the equation, simplicity?

Frictionless User Experience

The beauty of this approach is that corporate users are already using their phones as part of their authentication steps. So it’s frictionless. In a sense, it simply adds FIDO2 protection to an already familiar, easy process. And it takes user error out of the equation. With existing MFA push notifications, a bad actor can push a false notification that could facilitate employee account takeover. FIDO2 authentication using the smartphone approach described above prevents this.

While this approach offers significant advantages over both traditional MFA push notifications and physical security keys, it does not eliminate the need for a holistic approach to security. That includes mobile device management. Companies need to pay close attention to any potential vulnerabilities within the smartphones themselves, including all software deployed to them. It’s important to continually examine every link in the security chain to catch potential vulnerabilities. After all, cybercriminals spend their days and nights probing for tiny cracks in that chain they can exploit.

Deployed correctly, an authentication strategy that replaces hardware keys with a smartphone-based approach using the FIDO2 standard can eliminate the risk posed by MFA-bypass techniques, without compromising on convenience. With cyberattacks on the rise, combining strength and simplicity may be the best defense.

Tony Lauro is director of security technology and strategy at Akamai.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.


Suggested articles