The Flaw in Multifactor Authentication: Why One-Time Passwords and Push Notifications Fail
In the world of cybersecurity, multifactor authentication (MFA) is touted as a foolproof way to protect accounts from unauthorized access. However, a recent report by Cisco Talos has revealed a shocking truth: MFA based on one-time passwords and push notifications is vulnerable to a type of attack known as an “adversary in the middle.” In this blog post, we’ll delve into the details of this attack and explore why MFA based on WebAuthn is a more effective solution.
The Attack
The attack begins with a phishing email or message that lures the victim into logging in to their account. The link provided appears legitimate, but in reality, it’s a proxy server set up by the attacker. The victim enters their username and password, which are then forwarded to the real site. The site sends an MFA request, which the proxy server sends back to the victim, who believes they’re logging in to the legitimate site. The victim then sends the MFA code to the proxy server, which sends it to the real site. Alternatively, the user clicks a push notification displayed on their phone. In either case, the attacker has successfully compromised the account, even with MFA turned on.
The Problem with One-Time Passwords and Push Notifications
The issue with MFA based on one-time passwords and push notifications is that the codes themselves are phishable. These codes are often numbers or characters that are easy for attackers to copy and enter into the site. The effect is the same as if the attacker had phished the password. Moreover, the ease of using phishing toolkits means that even non-technical users can create convincing-looking login pages and proxy servers.
The Rise of Adversary-in-the-Middle Attacks
Adversary-in-the-middle attacks have become increasingly common. In 2022, a single group used this technique to steal over 10,000 credentials from 137 organizations and compromise the network of authentication provider Twilio, among others.
The Solution: WebAuthn-Based MFA
WebAuthn-based MFA is a more effective solution to these types of attacks. WebAuthn credentials are cryptographically bound to the URL they authenticate, making it impossible for an attacker to use them in a phishing attack on their own device. Additionally, WebAuthn-based authentication must happen on or in proximity to the device the victim is using to log in to the account, making it difficult for an attacker to intercept the authentication process.
Conclusion
Phishing has become a major security concern, and MFA is often touted as a solution. However, MFA based on one-time passwords and push notifications is vulnerable to adversary-in-the-middle attacks. WebAuthn-based MFA, on the other hand, provides a more secure solution. With thousands of sites now supporting WebAuthn, it’s easy for end users to enroll and enjoy the added security benefits.
Actionable Insights
- Implement WebAuthn-based MFA to protect your accounts from adversary-in-the-middle attacks.
- Be cautious when clicking on links or entering sensitive information, as they may be part of a phishing attack.
- Keep your software and operating system up to date to ensure you have the latest security patches.
Summary
In conclusion, MFA based on one-time passwords and push notifications is vulnerable to adversary-in-the-middle attacks. WebAuthn-based MFA, on the other hand, provides a more secure solution. By implementing WebAuthn-based MFA and being cautious when interacting with sensitive information, you can protect your accounts from these types of attacks.