Multifactor Authentication (MFA)

Why MFA

• All your creds are belong to us! Analysis of MFA impact on password attacks by Microsoft Threat Intelligence.
• It's Time to Hang Up on Phone Transports for Authentication Microsoft Threat Intelligence advice: use MFA; do not use smartphones for MFA.
• Account takeover prevention rate by challenge type. A slide summarizing the (estimated) effectiveness of various MFA techniques (challenge type) as a function of the attack type (automated bot, bulk phishing, targeted). It can be seen that security keys are "perfect" even for targeted attacks (i.e., the most sophisticated ones).

Notable incidents mostly due to lack of MFA

• How 50% of telco Orange Spain’s traffic got hijacked — a weak password

MFA attacks

Always keep in mind that everything but security keys can be phished (e.g., with specialized proxies like Evilginx).

• The Rise of One-Time Password Interception Bots
• SIM Swap at Krebs on Security
• Real-World SS7 Attack — Hackers Are Stealing Money From Bank Accounts SMS redirection in the phone network (SS7 vulnerability).
• Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA "MFA bombing".
• 3 Examples of Typical Smishing and Vishing Attacks in 2022

Extremely interesting MFA bypass: Wi-Fi.

• The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Attacker has passwords for organization O1 but O1 has MFA enabled...Attacker penetrates organization O2 that is in physical proximity of O1, i.e., wireless cells of O1 span over computers in O2. By taking control of a node in O2, the Attacker can authenticate to access points of O1 (for which there is usually no way to enforce MFA).

Misuse of phone number: - FTC fines Twitter $150M for using 2FA info for targeted advertising

Passwordless

• Passwordless login with passkeys at Google. Less technical description: So long passwords, thanks for all the phish. User experience: Sign in with a passkey instead of a password.
• Google passkeys are a no-brainer. You’ve turned them on, right?
• Passwordless authentication options for Azure Active Directory Microsoft scenario (very complex, as always).
• Passkeys vs Security Keys FAQ by Yubico, manufacturer of security keys.
• Passkeys.dev Description of passkey support across browsers and operating systems.
• Can Passkeys Replace Passwords: Timely idea faces deployment challenges An excellent analysis of the practical usability problems in deploying this technology (usability is a central issue in cybersecurity).