Zero Trust: Best Practices for Preventing Misunderstandings and Mistakes
Zero Trust can be perplexing when it devolves into just another marketing buzzword. Let’s clarify what it really means.
Attackers have developed various methods to bypass multi-factor authentication instead of directly cracking it. But there are ways to protect yourself from this.
Multi-factor authentication (MFA) is considered the best way to secure logins to business applications and services. As this blog post "Why even multi-factor authentication is vulnerable" shows, even MFA solutions do not offer 100% security.
This is not about vulnerabilities in multi-factor authentication itself. It still provides solid protection against cyber attackers. The problem is that it's relatively easy to get around. For example, criminals can infiltrate systems with malware and steal the session cookies on employee devices and lure them to proxies that also intercept the cookies. Or they annoy users with MFA requests until they accept one of them. All these methods may not be able to crack the MFA directly, but they can help to circumvent it.
The attacks described and other methods not yet known are not reason enough to give up on multi-factor authentication. It is worth remembering that MFA is not an antidote against cyber attacks - it requires correct implementation.
Even the first factor (the password) can cause problems. Usernames and passwords provide at least rudimentary protection. However, passwords must not be easy to guess or crack even when MFA is activated. A different secure password should be used for each service. Since hardly anyone can remember secure passwords, it is advisable to use a password manager. Which one you choose is up to you. The basic functions for managing and creating secure passwords are largely identical for all of them.
MFA isn’t always the same as MFA. There are many different methods of integrating a second factor. The easiest way is to send MFA codes via SMS to employees’ cell phones. However, SMS is not the best choice, even if does not usually do not require additional hardware or software. Text messages are linked to a telephone number rather than a specific device. This enables so-called simjacking attacks.
Since mobile phones or SIM cards can be lost or stolen, every mobile phone provider offers the option of porting phone numbers to other devices. Attackers abuse this to gain access to a phone number, at least for a short time. Then they intercept the MFA codes sent by SMS. Sending SMS is considered the most insecure MFA method. However, it is still better than completely dispensing with multi-factor authentication.
Some providers provide their own smartphone apps as a second factor. For example, Microsoft sometimes displays two-digit number combinations when logging into the Outlook servers, which the user must confirm with their Authenticator app on their mobile phone. Microsoft does not disclose which authentication method is used. Users must trust Microsoft to implement their system securely without vulnerabilities. Given the recently stolen master key for the Microsoft cloud, this is not always easy.
Security experts also warn that such procedures make users too accustomed to simply confirming login requests when they are prompted. If an attacker uses a fatigue attack against them, there is a risk that they will confirm the request out of pure habit.
Better protection is provided by the TOTP (Time-based One-time Password) method, which NCP also supports with its Authenticator app. The app generates a code that is only valid for a short time, which the user must enter after their username and password when logging in. Unlike passwords, these codes only work once. They therefore lose their validity immediately after they are used. As the server and client share a single secret in this procedure, it must be specially protected. Otherwise, an attacker gaining access to the secret could also generate corresponding TOTP codes.
The FIDO2 method uses asynchronous encryption with a public and private key. While the public key is stored on the server, the private key is only on the user's hardware. The user is authenticated on the server via a challenge-response procedure. The domain of the server is also taken into account, so that phishing attacks with minimally changed domain names are no longer possible. The new passkeys also use this method in a slightly modified form.
Even the most secure MFA method cannot prevent an attacker from stealing the user's session cookies and gaining access to third-party services. Therefore, every user should get in the habit of clicking on the logout button after using a sensitive service. This means that any stolen session cookies also lose their validity.
Multi-factor authentication provides high, but not 100% protection against cyberattacks. Every user must be aware of this. In addition, there are different approaches to MFA. But even the weakest method still offers more protection than the complete abandonment of MFA and the exclusive use of passwords.