9 Ways You’re Doing MFA All Wrong
As we witnessed in the MGM attack recently, you may have MFA setup correctly, but it may not be effective as you think in securing your account.
MFA is a great way to dramatically increase the security and protections of your accounts, but it’s not an end-all-be-all by any means and is subject to misconfigurations, which is up there in the top 3 vulnerability categories in information security.
1.💬Having MFA Codes Sent To Your Phone via SMS
Phones can be subject to sim-swapping attacks, where someone can literally take your phone number.
💡 Personal Security Tip: Call your phone provider and add a PIN to prevent unauthorized changes to your account.
Utilize PUSH MFA instead (see below)
2.📝 Failing to Educate Employees on MFA Best Practices
Even with a robust MFA system in place, its effectiveness can be diminished if employees are not properly trained on how to use it correctly.
MFA Fatigue is a real thing! People will still click YES when notified either accidentally, or haphazardly because they’re so busy doing something else. (Modern day woes)
Providing comprehensive and continued training and education on MFA best practices can help employees understand the importance of MFA and how to use it securely.
3.🗝️Not Using Hardware / FIDO2 Keys for Admins or Key Personnel
FIDO2 is now integrated in many modern operating systems which just increases the capability for the use of the secure technology. You can also distribute hardware keys like yubikeys, but make sure you have a fallback/reset plan.
4.🔒 Neglecting Regular MFA Audits and Updates
MFA is not a set-it-and-forget-it solution. Regularly auditing and updating your MFA methods is crucial to stay ahead of emerging threats. Conducting audits can help identify vulnerabilities and ensure that your MFA setup remains effective and secure.
5.🤳🏼Giving Out One-Time Codes Via Phone Calls
At least it should not be the norm and be easy to do. Build a super strong authentication and alerting mechanism in such case and make it impossible to do for critical access areas or employees with privileged access.
Use the phone number on file to call back the person
Not if the number has been changed recently (should be a log or indicator saying when it was changed)
Create a robust authentication system that asks for information only that employee would know
Using a separate directory altogether for privileged access/users would help a ton here!
6.♻️ Allowing TOTP Codes To Be Re-Used
Did you know that many providers actually allow codes to be re-used within the 30 second time frame.
As per RFC 2638 (the TOTP spec), it’s not supposed to be.
Hello, can you say “one-time” altogether please?
Of course, for convenience purposes companies have been a little lax and allowed codes to be re-used.
For the best security, make codes truly single use.
7.🌩️ Backing Up To The Cloud Insecurely
Did you know that Google Authentication now allows auth codes to be backed up to the cloud? Have you considered which cloud account these codes are being sent to?
If they’re being backed up to an employees personal account, and they don’t have strong authentication, then it really defeats the purpose of MFA (kind of a chicken or egg question).
Ask users not to enable backups and/or enforce the use of your own app for MFA
8.📲 Not Using Push Notifications ONLY
Many times people enforce MFA on their users, but they still allow them to use SMS! The best way to get rid of all this headache is to enforce push notifications using a directory app that you own. Not only will this reduce your attack surface area, but also it will ensure that the right users are provisioned to your MFA.
9. 📬Sharing One-Time Backup Codes Via Email
Yes, I’ve seen this! Don’t do this. These recovery codes are super important and should be locked in your password manager. (You’re using a password manager right?😅)
Sensitive data should never be sent via email.😬
Think about it this way, if an attacker gets access to the person who sent the email to employees during onboarding, they now have access to ALL Employees one-time codes in their sent email!!
As you can see, just enabling MFA is not as simple as you think. As with any security configuration, it must be done with thought and proportional to your threat landscape. Running an threat modeling exercise within your company will help you make an informed decision on the right size security for your environment and business.
📖Additional Useful Resources
Here are some related resources that may be helpful on your MFA journey:
Thank you for reading Last Week As A vCISO. This post is public so feel free to share it.