Enable multifactor authentication everywhere it is feasible to do so. Where it’s not feasible, figure out how to do it anyway using, for example by using an authenticated firewall in front of a device that doesn’t support MFA.
For many years, sophisticated adversaries have leveraged legitimate credentials in their attacks. At the same time, organizations have struggled mightily to get their employees to pick “strong” passwords through such clever devices as a password policy that includes a minimum length and a certain diversity of character types, giving rise to the infamous “Password1”. This problem holds true for server, network, and database administrators, too.
Three shifts in the threat landscape make multifactor authentication more important than ever:
- The number of ways that an adversary can obtain a password continues to grow, from mimikatz, to hashcat.
- The techniques that were once the domain of sophisticated adversaries are diffusing into the broader cyber crime ecosystem, such as we see with SamSam.
- The move to borderless IT – cloud, SaaS, and so on, means that the little safety nets our firewalls once provided are all but gone. Microsoft recently announced that it is deprecating passwords in favor multifactor authentication on some of its cloud services, such as Azure Active Directory.
Multifactor authentication is not cutting edge. This is 2018. I first used a multifactor authenticated system in 1998 and it worked well back then.
Some gotchas to be aware of:
- As has been widely reported, SMS-based multifactor authentication is not advised due to numerous ways adversaries can defeat it
- Any multifactor scheme that either contains the second factor on (such as a certificate) or delivers the second factor to (such as an email) a computer that is being authenticated from is less that ideal, given that a major use case is one where the workstation is compromised. Adversaries can use certificates on the system along with a captured password to do their deeds.
- A common adversarial technique to get around multifactor authentication is the helpdesk. Be sure to develop a reasonably secure means of authenticating employees who are having trouble and a means of providing an alternate authentication means if, for example, someone loses their phone.
P.S. Authentication is pronounced Auth-en-ti-cation, not Auth-en-tif-ication. Thank you.
2 thoughts on “NCSAM Day 1: Multifactor Authentication”
Hi Jerry, Great post. I specially liked the fact that you addressed the HelpDesk issue. Alternate form of unauthorized authentication using help desk best example of social engineering. Some account details retrievals are so easy as just “name”+”DOB”+”address”. I mean anyone can have that info.
BTW. Are you missing a word in first bullet in this sentence “advised due to numerous was adversaries” after “numerous”?
Thank you. “Was” should have been “ways”.