Can multifactor authentication protect your company?
By Ján Lunter, Founder and CEO at Innovatrics
“Multifactor authentication (MFA) can end all attacks.” That has been the tech industry’s password-security mantra for the past years. And the mantra grew stronger as the strengths of MFA technology were praised by all leading sectors.
In 2019, Microsoft— experiencing more than 300 million fraudulent sign-in attempts in their cloud environment every day—assured MFA could prevent 99.9 percent of all breaches. Even the U.S. Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger, and all Federal government agencies abided by the MFA trend.
“A number of … (tech) executives pointed to multifactor authentication as preventing 80 to 90 percent of cyberattacks,” Neuberger said during a September 2021 White House press conference. Consequently, the inevitable MFA tech rollout spread through the world, reaching every industry and every consumer. And with the new passwordless future and the FIDO Alliance passkeys, MFA leveled up.
Today, almost everyone uses MFA technology every day, multiple times a day. But despite all the momentum, the number of authentication breaches has not decreased. In fact, cybercriminals are bypassing MFA with techniques that are so simple that they put into question the entire security endeavor.
How cybercriminals bypass MFAs
The Expel Quarterly Threat Report, Q3-2022, reveals that identity continues to be the new endpoint for attacks and shows no sign of slowing down. Almost 60 percent of all breaches involved identity attacks, the report says.
Criminals bypass MFA by using U.S. IP addresses and turn to a technique called MFA fatigue. In MFA fatigue, attackers try to create confusion and wear down the security posture of a victim by flooding him with MFA push notifications. Eventually, users give in to MFA fatigue attacks because they believe something in the system is not working properly.
Cloud access identity providers, like Okta, Ping Identity, or OneLogin, are used heavily by companies because they provide a more convenient single sign-on (SSO) experience for employees. But the Expel report says that vulnerability increases when attackers only need to obtain one credential instead of several for different access.
Pairing biometrics with MFA to increase security
MFA by itself is no longer considered the ultimate security authentication solution. New approaches that verify other types of data, such as machine learning models that can predict normal patterns for each user (for example, how a person types, location, and other behavior), are being considered as new solutions. While some security experts urge companies to switch from MFA push notifications to PINs, others argue in favor of biometric technology.
The reality is that password malware has evolved rapidly. Modern brute force attacks can guess hundreds of thousands of passwords in just minutes and can easily breach username/password combinations. Additionally, social engineering is at its all-time high, with users voluntarily giving away top-level credentials tricked by hackers. SMS codes can be spoofed, devices can be physically accessed or stolen, and USB keys can also be lost.
Biometric factors have a reasonable tradeoff. They cannot be stolen, are widely supported, and people have them with them all the time. Using liveness detection or periodic checking for a specific face in front of the device-specific attack venues can prevent breaches attempts. Additionally, biometrics also leaves a digital trace of the real perpetrator and their unsuccessful login attempts. This makes cybercriminal forensics and investigation of incidents easier and faster.
Biometrics also faces challenges: they are not 100 percent accurate, databases contain sensitive personal information, and managing them is bound by data protection laws. Additionally, developing biometrics requires companies to master AI and machine learning model development, training, testing, maintenance, and operation.
However, as biometrics-as-a-service becomes more common and cloud vendors begin to incorporate built-in biometrics features for any organization to access the technology: biometrics positions itself as the most robust security element MFA has ever had.
The ever-evolving cyber threat environment has always been a great teacher. The lessons bad actors present to the world are challengingly complex. The MFA industry must learn and learn fast, adapt, and evolve. Additional layers of security are essential today. Paired with MFA, biometrics can increase your company’s security.
About the author
Jan Lunter is Co-founder and CEO of Innovatrics, which has been developing and providing fingerprint recognition solutions since 2004. Jan is an author of the algorithm for fingerprint analysis and recognition, which regularly ranks among the top in prestigious comparison tests (NIST PFT II, NIST Minex). In recent years he is also dealing with image processing and the use of neural networks for face recognition.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.