MFA Adoption: Benefits and Risks

The global pandemic which forces many organizations to adopt the work from home model has led to the dramatic adoption of multi-factor authentication (MFA) as a cybersecurity measure. While MFA has its benefits, it also presents some risks.

What Is MFA?

MFA, short for multi-factor authentication, is another route to account security. Traditionally, accounts are protected by single-factor authentication composed mainly of the username and password combination.

Single-factor authentication has shown to be easily compromised, for instance, through brute force attack – guessing the correct username and password combination through automated means.

MFA promises to secure an account by requiring multiple forms of verification to prove one’s identity when signing into an application. There are many forms of MFA. One form is through the use of an authenticator app. Microsoft Authenticator app, for instance, allows a user to login to an account by responding to a prompt for authentication after the user signs in with username and password. Alternatively, through Microsoft Authenticator app, a user signs into an account without entering a password, through the use of username and further confirming identity using a mobile device with the user’s fingerprint, face, or PIN.

MFA Bypass

While MFA helps reduce your organization’s attack surface by adding another layer of account security, it isn’t a silver bullet. On its own, it can’t instantly solve all cybersecurity issues.

Researchers at Proofpoint recently disclosed that they’ve discovered critical vulnerabilities in MFA implementation in cloud environments where WS-Trust is enabled. These vulnerabilities, the researchers said, could allow attackers to bypass MFA and access cloud applications that use WS-Trust, notably Microsoft 365, formerly known as Office 365.

WS-Trust, short for Web Services Trust Language, is an authentication protocol used for controlling the issuance, renewal and validation of web security tokens. Its goal is to provide a framework for secure communication between various web apps.

Microsoft itself describes WS-Trust as inherently insecure by current encryption standards. “The WS-Trust security protocol, when used in conjunction with a user account and password, implements an authentication flow that presents both the user Id and password to the authenticating resource in ‘clear text’ form, relying solely on the transport encryption to provide security for the initial leg of the authentication, until such point as the token service returns an authentication token to use,” Microsoft said.

Microsoft gives the following timeline to allow for transition of customers and partner applications:

• Effective October 2020, WS-Trust will be retired for all new tenants – Microsoft refers to the overall Microsoft 365 Data Center as an apartment complex, with tenants referring to the container for items of organization such as users and domains.
• Effective April 2021, WS-Trust will be retired for all new environments within a tenant.
• Effective April 2022, WS-Trust will be retired for all new and existing environments within a tenant.

According to Proofpoint researchers, the vulnerabilities that they’ve discovered could allow an attacker to gain full access to the target’s Microsoft 365 account, including mail, files, and contacts. These vulnerabilities, the researchers added, could be used to gain access to other Microsoft-provided cloud services, including production and development environments such as Azure and Visual Studio. “Most likely, these vulnerabilities have existed for years,” Proofpoint researchers said.

In exploiting the said security vulnerabilities, the researchers at Proofpoint said, an attacker could spoof his IP address to bypass MFA via a simple request header manipulation. Another way by which an attacker could exploit these vulnerabilities is by changing the user-agent header, causing the IDP to misidentify the protocol and believe it to be using modern authentication. “In all cases, Microsoft logs the connection as ‘Modern Authentication’ due to the exploit pivoting from legacy protocol to the modern one,” the researchers said.

The MFA bypass reported by Proofpoint researchers isn’t the first time that Microsoft 365 MFA has been bypassed. In May this year, researchers at Cofense uncovered a phishing tactic that leverages the OAuth2 framework in eventually bypassing Microsoft 365 MFA.

OAuth, short for open authentication, is an open-standard authorization protocol that grants websites or third-party applications access to an application without giving away authentication details such as passwords. In the phishing tactic uncovered by Cofense, a target was lured into opening an email that masquerades as coming from a legitimate source with salary bonus as a subject.

The phishing email contains a link leading to Microsoft Office 365 login page. This link is, in fact, a legitimate Microsoft Office 365 login page but an examination of the whole URL shows the words “oauth2” and “authorize”. After signing in to the Microsoft Office 365 login page, the target is asked to confirm whether he or she wants to grant access to Microsoft Office 365. By leveraging the OAuth2 protocol an attacker gains access to the target’s email and access cloud-hosted documents containing sensitive information without the need to brute force login details and bypass MFA.

Cybersecurity Best Practices

The above-mentioned security vulnerabilities and phishing tactic showed some of MFA’s weaknesses. MFA, however, is the first line of defense against brute force attacks. With MFA, cracking the correct username and password combination won’t be enough to gain access. According to Microsoft, MFA can block over 99.9 percent of account compromise attacks.

Below are some of the best practices in protecting your organization against MFA bypass:

• Educate staff about phishing campaigns such as those that leverage the OAuth2 protocol
• Log in via virtual private network (VPN)

Despite your best efforts, cybercriminals still finding way to bypass even most stringent security controls.

Our experts can assess your infrastructure within a just a few days and identify and patch the vulnerabilities to keep cybercriminals at bay.

Schedule a consultation today and worry less about the privacy and safety of your mission critical data. Call now (416) 920-3000 or email us at sales@genx.ca