Identity is the Key to SaaS Security, and You Need a Better Lock
Recent hacks at Uber, American Airlines and Rockstar Games (makers of Grand Theft Auto) have attributed their breaches to well-known attack vectors that exploit known weaknesses in multi-factor authentication (MFA). Such techniques include exploitation of techniques such as MFA fatigue, phishing and social engineering – Axiad looked at how these techniques were used in a previous blog focused on the Cisco data breach. The repeated breaches traced back to the same attack vectors being exploited over and over again illustrate the need for better keys and locks for identity. In this blog, we’ll look at how identity provides the key and what locks are available to move towards better methods of MFA.
Identity – User’s Key
Gone are the days when a network perimeter and physical security could be used as a first line of defense. When users log into their work applications, such as email, ERP systems, Office, they are doing so from a variety of devices, systems and the type of MFA implemented has to meet the users where they are – on all applications and devices – to be effective. Identity is the key to security for cloud-based systems. Applications need to be able to identify a user through an authentication exchange before allowing them to unlock access to different applications and devices. Implementing MFA allows organizations to add better, more complex locks to this process. However, not all the MFA locks are created equal.
Mobile Push – Easy to Install MFA Lock
Providing a consistent MFA lock that works across all scenarios is a difficult task. This inconsistency brought the mobile push app into popularity as the “lock” of choice for many organizations. Mobile push apps are easy to deploy – the user has a phone, they download an app from the MFA provider and are prompted to approve an authentication event on their phone. Easy. However, the convenience and ubiquity of the implementation is a tradeoff and push apps, while better than nothing, introduce some important security flaws. This means that mobile MFA is a lock that is easy to install but also easy to bypass.
Push apps are hosted on a user’s phone. Users are people, after all, and they want to be able to user their phones when they need to. When the phone is inundated with unknown push requests issued by an attacker, it’s only a matter of time before users just want to make the notifications stop. Even savvy users who can ignore the unwanted push requests might fall victim to a social engineering scheme where the attackers pose as IT or help desk personnel and request that the user approve the push app requests to fix an issue and stop the push notifications. At this point, psychology kicks in. The user wants their phone back and the request of the attacker may seem like a reasonable way of achieving this. Unfortunately, no amount of security training will counteract this scenario. Fortunately, better locks are needed, and they are available.
Phishing-resistant MFA – The Top-secret Lock
We’ve all seen the movies where the hero is confronted by what seems like an impossible to crack door and must get to the other side. The locks may contain a PIN, biometric sensor, or keycard and are always tricky for the hero to navigate. It’s the movies – the hero always finds a way in. These locks will be difficult, or impossible, to breach outside of the movies and in our MFA scenario, we’re focused on keeping the attackers out.
Phishing-resistant MFA represents this complicated lock and is backed by asymmetric cryptography. This method employs math to keep the lock and key in sync without the end user having to do anything. This method also makes it difficult for an attacker – they can’t bombard the user with requests when the process to unlock the door is initiated by the user. There is nothing to steal as the math employed keeps the key and lock in sync but is useless outside of those two parties. This provides a simple, secure experience and a more advanced lock.
Moving Towards a Better Lock
Axaid Cloud provides all the tools necessary for organizations to upgrade their locks to a secure, phishing-resistant experience. Unlike many approaches that are done in silos across multiple authentication methods, identity types, use cases, and existing IAM systems, Axiad allows customers to move enhance their authentication practices without the friction and risk of fragmented solutions. By delivering a complete and holistic solution, Axiad helps organizations systematically authenticate across all people, devices, and operating systems, regardless of underlying IT complexity. This integrated approach helps organizations become more phishing resistant, as well as prevent ransomware attacks/account takeovers, and take a critical step forward to implementing a Zero Trust.
You can also learn more about MFA overall by reading the Forrester report “Now Tech: Enterprise Multifactor Authentication Solutions, Q1 2022.”