Content
In the previous article about preventing ATO (account takeover) attacks, we discussed the basics of ATO events: the two stages of an attack, the most common techniques that attackers use for ATO, and some types of anomalies that indicate an ATO might be underway. While standard web security tools such as a cloud web application firewall (WAF) can provide protection against a variety of attacks, today’s threat environment requires specific ATO prevention technologies as well.
As we continue this article series, we’ll now focus on methods and best practices for discouraging ATO attacks, and for defeating those that do occur. We’ll begin with a technique that is powerful, well-known, and yet (unfortunately) underutilized: multi-factor authentication (MFA).
MFA 101
Multi-factor authentication strengthens user account security by requiring multiple pieces of evidence that users are who they claim to be. Two-factor authentication (2FA), which relies on two inputs, is probably the most common form today. However, highly sensitive systems might use more than two factors for additional protection.
Acceptable “evidence” for MFA can be categorized into three forms:
- Knowledge: A user supplies a secret (e.g., a password) that only the user and the service should know.
- Possessions: The user possesses an asset such as an application that generates a token, or a phone that can receive messages or calls to a specific number.
- Inherent characteristic: This factor is something intrinsic to the user, which an attacker cannot easily acquire. Biometric technologies such as fingerprint sensors and face scanners are the most common inherent authentication methods.
Strictly speaking, MFA only means that authentication requires more than one factor, but not necessarily in different categories. For example, a web app might ask for two secrets (such as a password and also the answer to a specific question). However, in practice, this doesn’t improve security much; if the first secret is compromised, there’s a high chance that the second will be as well.
To get the most from MFA, there should be at least two factors from different categories. For example, if a user must enter a password, then supply a code from a security key, it’s highly unlikely an attacker will be able to simultaneously bypass both methods. Even if the password is compromised, an ATO will still be prevented by the attacker’s inability to supply a correct code.
MFA Mechanisms
In use, MFA will generally produce one or more security codes for users to authenticate themselves. There are several different common mechanisms for accomplishing this; it’s important to understand the strengths and weaknesses of each.
Codes Delivered via SMS
SMS is an old, but still popular, form of MFA. After a user enters a correct password, the service sends a text message containing a numeric OTP (one-time passcode) which must be entered to complete the authentication process.
SMS-based MFA is prevalent across the industry, but it is not a robust mechanism. For example, an ATO attacker can use SIM swapping to hijack the user’s phone number, and will then receive the verification codes that were intended for the legitimate user.
Consequently, organizations should not rely upon SMS MFA unless there is no better alternative available.
TOTP Generator Apps
Time-based one-time password (TOTP) apps such as Google Authenticator, Microsoft Authenticator, and Authy generate unique OTPs that are only valid for short periods of time. To be authenticated and allowed access to a server that supports one of these services, the user must utilize the app to generate a valid OTP and supply it to the server.
TOTP is more secure than SMS because there’s nothing for attackers to intercept. Each OTP is only valid for a short time, and codes can’t be generated without access to the shared secret key provided during setup. Successfully compromising the TOTP process requires physical access to the user’s device, a MitM attack, or infiltration of the server environment.
Mobile Push Notifications
Push notifications are used by some providers such as Google’s sign-in prompts on Android devices. Logging into an account sends a push notification to the user’s phone. Tapping the notification confirms the user’s identity, without requiring manual input of a code.
U2F Keys
Universal 2nd Factor (U2F) keys such as YubiKeys are dedicated USB devices for user verification. The device generates security codes without requiring SMS or TOTP. Users can authenticate to services that support U2F by pressing a button on the side of the device: a physical process that’s impossible for a remote hacker to perform. U2F is therefore both convenient and secure.
The FIDO2 Standard
FIDO2 is an industry standard that replaces passwords with public key cryptography. It seeks to establish a secure and consistent login experience for all websites and apps. Although FIDO (“Fast IDentity Online”) primarily focuses on passwordless access, it can also be used as an MFA method.
As described above, traditional MFA methods can greatly strengthen security, but many are still vulnerable to sophisticated phishing attacks. (A later article in this series will discuss these attacks, and best practices for defending against them.) FIDO’s goal is to support MFA methods that are resistant to phishing.
FIDO2 relies on the operating system’s authentication surfaces that are already familiar to users. These include features such as Apple Touch ID and Windows Hello. Users acknowledge authentication prompts with factors already configured on their devices. Developers can use platform-specific interfaces to request authentication in native apps, or call the WebAuthn API from websites.
Apple, Google, and Microsoft are all committed to integrating FIDO support into their respective platforms. As adoption expands, organizations will be able to replace SMS codes and standalone security keys with simple on-device authentication prompts.
MFA vs. Passwordless Authentication
Passwordless authentication is an adjacent topic to MFA. A passwordless system relies on an authentication method other than secrets: something unique that an attacker can’t easily acquire or intercept. This could be a one-time code, a fingerprint scan, or a magic link sent to an email address.
Passwordless is designed to avoid the problems associated with passwords. (Users tend to forget them, reuse them, and/or choose insecure values.) Although it is sometimes discussed as if it were a unique approach to authentication, in practice it often uses the same mechanisms (except for passwords) discussed above for MFA.
MFA: a very effective tool against ATO
MFA is a simple but reliable way to protect user accounts against takeover attempts. When attackers must surmount multiple barriers, their success rate is drastically reduced.
Research from Microsoft validates the importance of using MFA. It found that MFA can block 99.9% of ATO attempts. This mirrors a similar report from Google which concluded that two-step verification using on-device notifications blocks 100% of attacks driven by automated bots, 99% of phishing campaigns, and 90% of ATOs targeted at a specific user.
Having said that, not all MFA methods are equally effective. In particular, insecure code generation methods such as SMS can be misappropriated. Also, the intrinsic risks of communicating evidence across a network are unavoidable, and interception of a large number of authentication requests could (in theory) allow useful information to be obtained.
However, exploiting any of these MFA vulnerabilities is much more technically challenging than basic credential stuffing and phishing campaigns. Using MFA puts your organization on a strong footing to defend against ATO.
Encouraging MFA adoption
To be successful, MFA needs to be rolled out across all the user accounts in your organization. Even a single unprotected account or compromised password can give an attacker significant leverage, as evidenced by the Colonial Pipeline incident. Clearly, MFA should be mandatory for all users with access to internal systems (employees, contractors, etc.)
Unfortunately, it’s not as straightforward for customer accounts. MFA adds friction to the login experience, slowing users down and creating a sense of inconvenience.
The good news is that more consumer-facing businesses are adopting, and requiring, MFA for their customers. As this trend continues, more people will grow accustomed to it. Further, the ongoing industry efforts to simplify and standardize MFA are delivering promising results in this area. As FIDO support heads to all major platforms, users will soon be able to log into websites and apps using their device’s familiar authentication mechanisms. This will accelerate login and remove the manual aspects of previous MFA solutions.
The bad news is that adoption rates are still low. An October 2022 report from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) found only a quarter of customers of one “top vendor” use MFA. Even more alarming, only a third of system administrators have it enabled (!)
Of course, none of this is a reason to delay adoption across your own organization. MFA’s advantages for securing user accounts are clear; the question should not be whether to adopt it, but only how to implement it, and how quickly it can be done.
Conclusion
Account takeover (ATO) attacks are a popular form of cybercrime where an attacker acquires access to an existing user account. Successful ATOs can be the result of a data breach, phishing campaign, or brute-force credential stuffing attempt. The resulting damage can range from various forms of external fraud using customer accounts, or worse, compromise of internal systems, leading to disasters such as data breaches and ransomware installation. Detection can be difficult, and post-mortems can be challenging too (thanks to polluted audit logs and questionable data integrity). All of this can create compliance nightmares.
MFA is one of the most effective ways to defend against ATOs. Adding a second method for user authentication imposes an extra barrier against attackers, and can bring the rate of successful ATOs down to near-zero.
Still, MFA alone won’t stop attackers from trying to execute ATOs. Nor should it be the only ATO defense, especially in your public-facing systems.
In the next article of this series, we’ll continue our discussion of ATO prevention by discussing phishing attacks, and how to protect against them. Stay tuned!
Share this post
