Security vs. Convenience: When Convenience Goes Too Far
MFA is a huge boon to security, but some innovations that are supposed to make it easier are actually giving hackers new ways to attack individual users. This is an example of where keeping things simple would mean more security for everybody.
MFA Push Breaks The Security Vs Convenience Balancing Act
The urge to make security 'easy' for users is understandable: By and large, users understand security as a necessary evil, so anything that can be done to make security policy and process less onerous on end users should be adopted. There are downsides to this, though: making security too easy can often open new attack vectors for bad actors to exploit. Security and Convenience are very often a balancing act, and MFA Push is a technology that breaks that balance too far away from security for comfort.
One attack that has been making the rounds recently is what's being called MFA Fatigue. The MFA Fatigue attack relies on MFA push technology, which pings an application installed on your phone when you try to login to a website. MFA Push then asks you if it's really you that's trying to login, and you tap the button saying Accept (or if it's not you, you tap a button to say Deny.)
The problem here is that attackers can attempt website or application logins hundreds of times, causing the end user to receive hundreds of MFA Push requests for access. This can then cause users to either:
- accidentally hit Accept (hey, we're human. It happens.), or
- just hit Accept to stop the barrage.
Attackers will often use the MFA fatigue technique along with other social engineering moves such as calls or emails pretending to be IT, and 'can you just please hit accept so we can fix your account?'
The Old Way Was More Manual, But Safer
Standard MFA works on a different model. TOTP, which is an acronym that somehow stands for “Time-Based One-Time Passcode,” works by generating a 6 digit number that users have to enter into a website or application to gain access. The process is totally different for the end user: A login page asks for the user's credentials. After they are authorized, the page will ask for that TOTP-generated number. You enter that, and finally you have access for X amount of time.
The major difference here is how the MFA information is obtained by the app- with the MFA push technologies, a user's device is actively asked by the app or web page to authenticate. With TOTP, the page passively waits for a user to enter more information. This means that the MFA Fatigue attack is impossible with TOTP- there's no opportunity to spam a device with a hundred requests a minute when all the page does is sits and waits for a user to type more characters.
The Old But Less Secure Way Was Definitely Not Better
One thing to keep in mind is that there are older, non MFA push technologies that are still susceptible to the spamming-type attacks (along with other kinds of attacks.) Top of the list for this is SMS-based TOTP. This is when a user doesn't have a token-creating device on their computer/phone/person, so the token is texted to them. The biggest threat here is SIM swapping, wherein a hacker gets a person inside a cell phone company to change the SIM associated with a phone number. They can then intercept the SMS messages used for verification and hijack the account. In a SIM swapping situation it's the phone company that is the victim of social engineering, but it's sadly far too common for those kinds of attacks to succeed.
Same thing can happen if your TOTP is sent to your email address. Instead of texted, the code is emailed to you. Now it's your email that is susceptible to attack. And that opens a lot of possible other vectors if you have computers or devices that are compromised while you leave your email logged in. But you wouldn't leave yourself logged in to sites when you're not using them, though, right? (riiiiiiight?)
The Fixes For MFA Fatigue Require More And More Technology
The trouble is, people like convenience. And because companies like it when their customers are happy, they are trying to meet them halfway with this issue. For example, Microsoft has a security enhancement for Microsoft Authenticator push notifications called Number Matching in preview. Number Matching changes the login process slightly.
What happens with Number Matching is:
- user logs in,
- push notification goes out to their device,
- user clicks 'accept' in Microsoft Authenticator,
- the website or app will show an “Is this you” kind of dialog with another number,
- which you then have to type into Microsoft Authenticator to complete authentication.
Microsoft claims that this enhances security because it requires additional input. To me it just sounds like TOTP with extra steps.
You haven't eliminated the possibility of spamming a device. The only thing you have done is stop an attacker if someone accidentally hits accept. However, remember there was another audience for these attacks: people who are fooled into thinking IT is requesting this access. If that is the case, they will simply be contacted again with a 2 digit code to punch into their phone.
Now, it's true that often times all that's needed to stop unwanted behavior is a small amount of hassle. So I applaud Microsoft and all the other companies that are doing something similar for at least attempting to fix the problem. But again, I can't help but think that the easier way to solve the problem is to not use MFA Push notifications in the first place.
Sometimes Simpler Is Better (And Cheaper)
Lets take a different example. In any country that has cars, speeding is a huge problem. There is a tremendous amount of disrespect in the human mind for the power that is invested in anybody behind the wheel of a vehicle. Actually, I don't even like the phrase 'vehicle.' Lets call them what they are: 3,500 pound death machines. If you hit something with your death machine, you're going to hurt something with your death machine. And the faster you go in your death machine, the worse it's going to be. In America we have tons of solutions to this- automated speed traps, points on your license, famous anti-speeding commercials on TV starring James Dean. (We also have NASCAR and Sammy Hagar singing 'I can't drive 55' so I'll concede that culturally, it's a bit of a mixed message on the whole 'speeding is bad' thing.) So what we end up with is a lot of tacked on, expensive solutions that only kind of work.
Many South American countries have an interesting solution to the problem of speeding. They're called “Sleeping Policemen,” the are basically giant random speedbumps plopped at odd intervals on the roads- especially rural roads. Sometimes there's a sign for them, but sometimes they aren't. You hit one going 40, and it's uncomfortable. You hit one at 80, you bottom the hell out of your car -and probably give yourself and your passengers whiplash at least. (Seriously though, these things hurt. You ever hit a regular bump or a pothole when you weren't expecting it? Now make it cover the whole length of the road.)
What I'm saying is, sometimes we can over-engineer a solution to a problem, and we can also over-value convenience. How much time does MFA Push save you, really? 5 seconds? And given what we've seen in terms of the risks that MFA Push opens you up to, is that 5 seconds worth it?
Conclusion
There are other solutions to the MFA Fatigue issue that have been proposed, but they all come with their own problems. We can't create a policy where too many requests from one account that then locks that account- That just means a valid user can be forcibly disabled via MFA-based Denial of Service. Too many requests from one IP or phone number results in that number being locked? That just means that hackers have to use multiple sources to attack from- not a problem in the world of botnet-as-a-service.
So really the solution seems to be TOTP. Eliminate the push notifications entirely, and you eliminate the threat vector entirely. Even in their comments about battling the MFA Fatigue issue, Microsoft thinks that this is the way. Alex Weinert, Director of Identity Security, clearly stated: “the most effective mechanism is to avoid methods which allow simple approvals which are subject to fatigue… This prevents any bad experiences triggered by the adversary by pushing unexpected notifications.”
Eliminate 1% of convenience, for 75% more security and peace of mind. Even if you only think that you're gaining back 50% security, that still seems like a good tradeoff to me.