Beyond MFA – Keeping your accounts secure
Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) have both become key tools helping protect us from cyber threats. Requiring two or more verification steps to access an account adds a strong layer of security beyond just a password. However, even with its strengths, MFA and 2FA can still be vulnerable, especially when users approve sign-in requests without thinking about why they were prompted.
One common issue is “MFA fatigue” or “MFA spamming.” This happens when users get repeated MFA prompts and, out of habit or frustration, approve them without checking if they’re legitimate. Attackers take advantage of this by sending multiple authentication requests, hoping users will eventually approve one out of annoyance or confusion.
To combat this, MFA techniques have moved with the times – often we no longer simply approve a request via a tap on a mobile but now need to enter a code, either presented on the requesting device and typed into the MFA device or vice-versa.
This process is still fallible. We now face an “adversary-in-the-middle” (AiTM) mechanism which captures the victim’s authentication token, effectively bypassing the multi-factor authentication protection,
A common scenario involves receiving an email with a link that appears to be from a legitimate source – often an already compromised account, adding credibility to the request – suggesting a shared document is available. Clicking on the link presents a convincing looking Microsoft sign-in page, which captures the user name and password. The bad actor then uses these credentials to log into the real Microsoft site, triggering a multi-factor authentication prompt. The prompt says, “Open your Authenticator app, and enter the number shown to sign in.” The attacker, who now knows the correct number, displays the same message on the original user’s screen. When the user enters the number, they unknowingly approve the login, giving the attacker full access to their Office 365 account, including data and emails.
To make MFA more secure, it is vital to educate users. We can also provide some extra safeguards.
Our standard device setup authenticates all standard Office apps including OneDrive, Teams and the Edge browser. We cache the user name and password securely within the browser so, if a page asks for the login details, there is already reason to pause and question the legitimacy of the request.
We provide training (to teach users about the importance of checking MFA prompts and the dangers of blindly approving requests. Awareness campaigns and training can reduce the chances of successful MFA fatigue attacks.
Our SOC (Security Operations Centre) solution provides 24×7 monitoring by human experts. It won’t stop an end user from being tricked, but provides a level of monitoring which can detect unusual sign-in patterns, alerting us to potential threats before they cause serious damage.
Physical Key solutions – we can replace the MFA app solution with a physical USB device for many popular systems including Microsoft 365. The key is used to authenticate the requesting device via user interaction and physical connection. This physical connection stops the bad actor’s attempts in its tracks as the remote device cannot be authenticated.
To conclude, whilst MFA/2FA is a powerful tool for enhancing account security, it’s not perfect. The human element remains a critical vulnerability that attackers can exploit. We can provide training, monitoring and alternatives to help make your solutions even more secure.
For more information and help securing your systems, please contact us by calling 0118 976 7111 or emailing robert@vcisystems.co.uk