Hardening Measures for Multi-Factor Authentications

Nowadays, authentication is a key component of every system. It checks to see if a person really is who they say they are. Passwords are used for basic authentication, but Multi-Factor Authentication (MFA) has long been regarded as a standard and a "must have" because it provides additional security. MFA can be implemented and utilized in a variety of ways, including SMS, software apps, physical tokens, biometrics, and more.

App-based methods are being adopted as a safer method of authenticating users rather than SMS or phone calls because not everyone is aware of tokens or biometrics as a means of performing MFA. a trend that, according to Microsoft, is growing.

One-Time Passwords (OTP) are necessary for the fundamental operation of MFA. To generate OTPs, software applications like Authy and Microsoft Authenticator have implemented cryptographic hashing functions like the Hash-based Message Authentication Code (HMAC). These OTPs typically consist of a number with six digits that is calculated with a timestamp and a secret key.

Two out of the three factors are required in order to use a Multi-Factor Authentication system.

These are the factors:

a) Something you are aware of: The use of a password or passphrase, a PIN, or the responses to secret questions (challenge-response) are the foundations of this strategy. It involves confirming information supplied by the user.

b) A possession you have: This can be a symbolic gadget, a smartcard, an email, a wireless number or a cell phone in blend with an OTP programming application. It involves examining an item that the user possesses for authenticity.

c) A quality you possess: like a retina or iris scan, fingerprint, or voice or facial recognition. This method involves confirming the individual's inherent characteristics.

The following five steps will make corporate MFA more effective in light of its core principles. The actions depend on current best practises and contemporary forms of abuse used by adversaries.

1. Disable the MFA Default Configuration for SMS texts 

Because MFA is frequently used because it is simple to set up and only needs a phone number to send the OTP. Companies like NIST and Microsoft, which consider out-of-band authentication to be the weakest form of MFA, have been increasingly advising against its use.

This sort of MFA is powerless against SIM Trading, doesn't depend in encryption, can be caught utilizing programming characterized radios, FEMTO cells or SS7 capture administrations, is phishable and can be savage constrained.

It is strongly suggested that physical tokens, biometrics, or software-based apps be used as forms of authentication.

2. Block Pop-Ups to Prevent MFA Fatigue Attack (MFA Bypass)

Threat actors, such as the Lapsus$ group, have recently begun looking for ways to compromise what ought to be a practice that improves security, such as app-based authentication. Utilizing "MFA Fatigue," threat actors have successfully compromised accounts by spamming and bombing push notifications after obtaining legitimate credentials.

Due to various business models encouraging remote work and allowing Virtual Private Network (VPN) access to internal resources, the number of overwhelming mobile pop-ups and notifications has increased since Covid-19.

Despite everything that has been said, the attack is not particularly successful because of the technology or the human condition of constant attention to a large number of notifications. Users who are agitated are more likely to accept notifications when they want them to go away. Many MFA users are unfamiliar with this attack because it has only recently been exploited, and it can result in the approval of fraudulent notifications in some cases.

Disabling pop-up notifications is recommended.

3. Block User Account After Multiple MFA Denials

 Nowadays, the majority of compromised accounts are the result of password stuffing attacks and obtaining passwords from data breaches. Given that MFA is software-based, SMS-based, or both, threat actors may brute-force the OTP authentication.

As a result, security controls that are set to prevent OTP authentication abuse are uncommon. Whenever possible, every account should be set up to block or begin the password recovery procedure after a predetermined number of MFA rejections.

Brute-force, phishing, and malware on the victim's device are all possibilities with app-based MFA.

A necessary rule in this setting ought to be setting a maximum number of MFA denials.

4. Block Access By Location 

Foreign national origins that are not typically employed on a daily basis should not be used for authentication. For instance, if no restrictions were in place, a threat actor who successfully compromised the victim's account using the MFA Fatigue attack and obtained two credentials from a data breach would not have to worry about his location, no matter how far away it may be.

When accesses are consistently blocked by location, the number of authentications that can be performed is reduced, which in turn reduces the attack surface.

In conclusion, enabling authentication should only be done for countries where daily work is known to occur. The company should block authentications from countries that it does not consider to be legitimate.

5. Configure Biometric or Physical Token Authentication 

The FIDO U2F protocol is used for authentication in both biometric and physical authentication. The protocol is intended to strengthen username/password-based login flows as a second factor. It uses public-key encryption, which means that a new pair of keys is generated for each service used, allowing for an unlimited number of services while keeping them completely separate for privacy's sake.