Multi-Factor Authentication – Stronger Security, but Training is Key - WST

Back in the good old days, Multi-Factor Authentication (MFA) seemed like a silver bullet. “If only we got MFA enabled on email/VPN/etc., we can stop worrying about that high-risk service!” The industry jumped on board and now you can enable one-time passcodes or push authentication on just about everything from VPNs to email to your favorite online megaretailer. The grateful townspeople thanked the InfoSec stranger as they dramatically rode off into the sunset…

Unfortunately, that last part didn’t happen. While properly implemented MFA can be a significant obstacle to many attacks, it is no security panacea. The biggest problem comes down to people. We are all learning (and we see time and again during Penetration Tests) is that if we can trick a user into entering their credentials, we can probably get them to helpfully provide their one-time-passcode (OTP) code as well. We have also had users that accept random push notifications as well, allowing logins from random sources. This isn’t all the user’s fault - to a non-technical person, they are shown how to use the new magic token (or app) and how to log in with it. They don’t always understand what it all means, they just need to get connected and do the job you are paying them to do. That is where additional training comes in.

Users need to know what to look for, and who to report strange requests or push notifications to. That way, you can get a heads-up if something strange is going on. This allows you to secure that person’s account before the Bad Guys™ can pull off their nefarious schemes.

Consider the following regarding MFA:

• MFA is still a huge improvement over standard username/password. Use it everywhere you can.
• When training users on VPN, webmail, or other logon processes, make sure they are told what to look for. They should never get a push notification when they aren’t logging in at that moment. If they get extra notifications, or if they get them when they aren’t logging in, then they should call the helpdesk immediately
• If you use OTP, they should know where to enter it and to never enter it anywhere else (an extra box, after the username, etc.)
• Likewise, they should never provide token or MFA information over the phone unless they know they are talking to an authorized IT contact.
• Some look-alike login portals can pass-through MFA information, so the same training applies on how to spot phishing messages and fake login pages.
• Consider logging and alerting on anomalous logon events. If your solution supports it, if you get a VPN or webmail login from outside a normal geographic area, this should generate an alert.

Authored by: Jeremy Johnson, OSCP, CISSP