Let’s Face It: MFA is Broken

Why your standard MFA is not enough to ensure the person logging in is who they say they are

Multifactor Authentication (MFA) has traditionally been seen as a strong form of security. Unfortunately, MFA for many has become a “set and forget project” as organisations then move on to the next pressing cyber security problem. Of course, as hackers become more skilled, they are now finding creative ways to circumvent MFA, and they are not hesitating to take advantage of these. In fact, they are using MFA fatigue as a way into your organisation.

In this post, Jason Trampevski, Field Chief Technology Officer at Sekuro, talks with Michael Warnock, Commercial Director at Daltrey, about the common state of identity risk.

Back in February 2022, organisations were warned by the Australian Cyber Security Centre (ACSC) that they needed to urgently adopt an enhanced cyber security posture. The US CISA and Federal Bureau of Investigation (FBI) released a joint advisory in March to warn organisations that MFA has been exploited in combination with known vulnerabilities to allow malicious hackers to obtain access to networks.

However, the notice then went on to say that MFA remains the most effective way to prevent an adversary from gaining access to a network or sensitive information. While MFA provides a strong sense of security, (keyword being sense) the reality is that hackers can still get around it. MFA needs to be enhanced and thought about differently for it to be effective again.

Hackers don’t hack, they log in.

Recent Australian breaches have shown us that no one is immune to cyber-attacks, and that the kill chain for many has been exploited through stolen credentials procured via the dark web, SMS intercept, MFA fatigue or human error. These breaches clearly demonstrate that hackers have become very creative as cyber-attacks start to outrun organisations’ current cyber defences. It is illogical to think that hackers have not found a way around MFA.

Credential theft remains the most effective tool in the hacker’s arsenal

In the Data Breach Investigations Report by Verizon, it was found that 80 percent of cyber risk stems from weak or stolen credentials. “That statistic has been fairly consistent for the last five years, and that tells me we haven’t really thought too much about this,” Michael remarked. “MFA has been a bit of a set and forget, ‘I’ve got control’. However, hackers are always looking for a modernised attack vector and they are now using MFA spoofing to get access to critical data assets. So, there is a need to look at how we ensure an additional guarantee that the person sitting in front of the machine is who they say they are.”

“Once you bypass MFA and compromise the credentials, you’re in, a pot of gold awaits. There is nothing further to verify that you are the person in front of the computer or the device,” Jason explained.

The government is now recommending the gold standard of MFA security controls within the ASD Essential Eight guidelines, highlighting the need for impersonation resistant authentication.

Impersonation resistant MFA

There is still a need for MFA, but the problem is right now is that the traditional approach is broken. With stolen credentials, it provides an easeful doorway into your organisation. Hackers continue to innovate their MFA attack techniques. Therefore, organisations need to continue to innovate as well.

Just like compliance, it is not enough to just check off the boxes with MFA. Organisations need to constantly evolve their cyber security defences, thinking ahead to ensure they are mitigating one of the major cyber risks from their operations.

The ASD Essential Eight recommends in their level 3 maturity level that: Multi-factor authentication is verifier impersonation resistant and uses either: something users have and something users know, or something users have that is unlocked by something users know or are. 

By evolving your MFA controls to incorporate verifier impersonation resistant authentication, you safeguard the operation by knowing with confidence that the person logging in is the person the credential has been assigned to. Underpinning this control is the utilisation of biometrics.

Michael explained, “Why authenticate if you don’t know who is authenticating?”.

As each user’s biometrics are unique, this creates a frictionless experience to access the data sets they need to. Liveness detection at point of authentication steps up the security controls, preventing any attempts to spoof the authentication processes.

“Organisations should continue using MFA and further improve their security controls by also adding biometric authentication to protect users. This will make it more difficult for attackers to trick users into disclosing MFA codes or leveraging other methods such as technical interception. 

Typically, when we add layers to authentication such as MFA methods, it is usually a poor/frictional user experience. Biometrics, however, is a seamless user experience while not being easily breakable by an attacker. Organisations aren’t likely to meet a lot of resistance by their end users by augmenting existing MFA/Auth with biometrics that will increase the speed to deliver further security,” Jason explains.

If you would like to learn more about the ASD Essential Eight and verification impersonation resistant authentication, get in touch with Jason or your account manager. Learn more about frictionless Biometric Authentication at Daltrey.com

About the Authors

JASON TRAMPEVSKI

Field Chief Technology Officer (CTO), Sekuro

Jason is an experienced technology leader and evangelist, with a passion for innovation and creating business value through technology. He leads, advises and consults across a broad range of clients, including ASX-listed companies, government agencies, and household brands. As Field CTO at Sekuro, Jason helps our clients transform their digital and security postures, co-innovating with our global, best-of-breed vendor partners to design and architect fully integrated solutions.

Michael Warnock

Commercial Director, Daltrey

After more than 25 years in local and international sales, Michael has extensive hands-on experience across the cyber security, cloud, data and telecommunications sectors, driving key partnerships and strong government relationships.

Scroll to Top