Two-Factor Authentication (2FA) is dead. Long live Multi-Factor Authentication (MFA)! For years, many have considered 2FA to be synonymous with MFA, but in reality, they are very different entities.
Having two distinct forms of authentication, such as something you know (like a password) and something you have (like a token or a cellphone), can still leave your organization vulnerable to a particularly nasty Denial of Service (DoS) situation.
The Problem
Let me illustrate this with the industry-leading Cisco Secure Client, also known as AnyConnect which is used for remote connectivity through a VPN connection; many other remote access tools have the same problem and this isn’t unique to just Cisco.
A Hacker's Mindset
Recommended by LinkedIn
Figuring out a username for email, remote access, or VPN is relatively easy, as most organizations use a format along the lines of: First Initial, Last Name, @ company domain. A hacker can go onto LinkedIn, look at the company they want to target, and find a user by their profile and position.
Even for security-mature organizations that use more complicated usernames (not based on First / Last names, etc.), it's easy to figure out the username by looking at the headers in an email message. This is a little extra work for the hacker but not an insurmountable hurdle if they can get a hold of an email message.
With a victim’s username, the hacker will now attempt to break in to the Cisco Secure Client login portal on the Firewall using a dictionary attack against the victim's account. Multiple failed login attempts lead to the user’s account being locked, frustrating the user and wasting time for your service desk to reset the account.
After this happens a few times, you might adjust your security settings so that lock-outs only occurs after a failed 2FA attempt, but that isn’t easy to do with the Firewall that is used with Cisco Secure Client and requires you making changes in your backend user directory. In response to this, a hacker might social engineer a way to get the user's password. Alternatively, the user could have poor password hygiene and have reused a password from a compromised website. The hacker now gets lucky by using a list of compromised passwords they bought off the dark web.
Even if the user doesn't respond to a push login request or doesn't enter a One-Time Password (OTP) when prompted, a hacker still knows they have a working password now; how, because the delay for the denied message takes longer...
Most of us know where this is going; the hacker is persistent in their login attempts. After being continuously prompted either the victim end-user makes a mistake on a push message (known as "2FA fatigue") or becomes so paranoid about trying to use anything themselves because their user account is under attack that they suffer a self-inflicted DoS attack until someone on the help desk can reassure them that everything is okay. Ask yourself: is your help-desk staffed and trained to be able to handle that type of a call?
The Solution
One of the most overlooked security best practices is Defense in Depth. Go back to the basics and use signing with certificates. No different than using key pairs with protocols like Secure Shell (SSH), we sign (trust) the devices that the users can use to login from and only allow those devices to attempt logins.
Here is the Multi-Factor Authentication process:
While I mention the Cisco Secure Client, this same process and framework can be used for Secure Access Service Edge (SASE), Outlook Web Access Portals, or just about any other remote access method that a user has at their disposal.
SASE typically includes a client application installed which will sign the user's machine, but that machine should still have 2FA protection to log in. Implementing certificates/signing without 2FA still leaves your organization vulnerable to compromised machines, but signing certificates along with using 2FA Push is now the recommended minimum-security posture for organizations.
Security for organizations needs to be constantly reviewed and updated because there is so much easy money to be made by hackers that they will continue to evade our detection and evolve their techniques because they can make a very decent living just targeting the low hanging fruit — sorry, poorly defended organizations — on the Internet.
Stop using 2FA and adopt MFA, because “Two can be as bad as one, it’s the loneliest number since the number one.”
The biggest piece of advice I can give to any business owner right now is not to become complacent and make sure your MSP stays on top of trends in the industry — if they keep telling you that your organization must do more, then they are doing their job. The second they tell you that your organization is completely safe and secure, it is time to find a new provider.