For years, enterprise IT and security operations have been told they need to advance beyond texting short numeric strings in plain text and calling it meaningful Multi-Factor Authentication (MFA) or even just Two-Factor Authentication (2FA). It is stunning how many enterprises still cling to that entry-level security sham, even knowing how subject it is to man-in-the-middle attacks.
As for the oft-cited defense that, “it’s better than having no MFA at all,” I am not so sure. It provides false comfort to enterprise users that they have meaningful security. That prevents companies from quickly deploying truly robust security, such as an MFA that uses several authentication layers, including voice-recognition, facial- or finger-ID courtesy of the ubiquitous smartphone and almost any of the mobile encrypted authentication apps. (Don’t forget that Signal can work well, too.)
Microsoft recently opted to state the obvious and then undermined its own credibility by really making it all about Microsoft Authenticator and Windows Hello. There’s nothing like laying out a coherent argument and then ruining it by saying “Therefore, you should download my app,” or “Send me your money.”
That said, if you ignore the blatant and self-serving sales pitch, Microsoft’s director of identity security, Alex Weinert, makes a good argument.
Weinert stressed the weaknesses of the publicly switched telephone networks (PSTN) and then argued that it’s frighteningly used in many places.
“It’s worth noting that every mechanism to exploit a credential can be used on PSTN – OTP. Phish? Check. Social? Check. Account takeover? Check. Device theft? Check. Your PSTN account has all the vulnerabilities of every other authenticator and a host of other issues specific to PSTN,” Weinert wrote. “Because so many devices rely on receiving PSTN messages, the format of the messages is limited.
“We can’t make the messages richer, or longer, or do much of anything beyond sending the OTP in a short text message or a phone call. One of the significant advantages of services is that we can adapt to user experience expectations, technical advances, and attacker behavior in real-time. Unfortunately, the SMS and voice formats aren’t adaptable, so the experiences and opportunities for innovations in usability and security are very limited.”
That is absolutely correct. Put another way: all of these efforts are horrible security and the maturity of PSTN is such that it can’t be made any better.
It’s important to assume that any authentication interactions are the result of a prior compromise. If you operate on the premise that all entry attempts are bad guys leveraging credentials (or credential and user information) stolen in a phishing attack, you will be much better off and it will be obvious why unencrypted texts are unacceptable in 2021. (Truth be told, they’ve been unacceptable for about five years, but let’s try and be nice.)
The beauty of details shared via an encrypted app or information gathered through biometrics is that it is information that a phishing attack is very unlikely to gather.
But are there not ways around biometrics, such as plastic models that can fool the system? Absolutely. But those efforts are time-consuming — and professional cyberthieves are all about efficiency. Yes, there are some limitations to all of these approaches. That’s why I stress the “M” in MFA. Multi. An enterprise’s security is based on how many mobile authentication methods can be stacked. One enterprise I have talked with uses facial recognition to log in, but then uses an encrypted app to continue authentication, topped by voice-recognition if the person has to talk with someone.
The more layers, the more security. Maybe a bad guy can leverage a flaw in one of those layers, but all of them? Not likely.