Guarding the Gates: A Deep Dive into MFA

Jara Rowe: Are joining us for part one of a two- part webinar series. The first up is guarding the gates, a deep dive into MFA. So the team here, which will introduce themselves in just a second, is going over multifactor authentication today. So what we're going to do for the webinar, the agenda, we'll do some quick intros, the full 411 breakdown of MFA, followed by a Trava demo, and a Q& A to wrap us up at the end. I did not introduce myself yet, but I am Jira Row, the content marketing specialist at Trava and I'm just here to help facilitate my expert coworkers here for the topic. So I will let them go ahead and introduce themselves.

Marie Joseph: I'll start. We just go in order. I'm Marie Joseph. I'm a senior security solutions engineer here at Trava. Been here over two years now and I help a lot of people mainly with their compliance journeys, whether that be SOC Tier or ISO, but deal a lot with security every day.

Christina Annechino: Awesome. Well, hi. I'm Christina Annechino, the cybersecurity analyst here at Trava. I started this year in February. My main responsibilities have also been working in compliance. I've done vulnerability management a few of our customers as well as writing vulnerability reports.

David D'Apice: Hey everybody, I'm David D'Apice and I'm a software engineer here at Trava. I've been here for approaching two years and I work specifically on building the Trava platform and work mostly on our scanning infrastructure.

Jara Rowe: Fantastic. All right, Marie and Christina, you can take it away.

Marie Joseph: Awesome. Okay. So let's jump into what is MFA? So just as the name states, it requires a minimum of two or more factors in order to gain access to a system or account. This is probably why some people might've also heard it been called 2FA, which is two factor authentication. So they're basically one and the same. It just gives an extra step of verification to make sure the account owner is really the one accessing this locked information. Each one of these factors must belong to a different category such as something you have, something you know, or something you are and we'll discuss these in further detail later in the presentation. Before we fully dive into the details on MFA, I want to briefly bring up a few statistics when it comes to password focus attacks and threats in your everyday life. In 2021, it was found that more than 80% of confirmed breaches are related to either weak, stolen, or reused passwords. In 2022, over 24 billion passwords were exposed in some manner by hackers and when you think about it, that is a lot of passwords when you compare it to how many people there are in the world. In some cases a user is notified that their password has been compromised in a breach. It's usually a best practice that someone has to give out and that often triggers a user to change their password and change any other accounts that might be using the same password. So using MFA in addition when these types of breaches occur could have the possibility of preventing that account from being compromised. So just adds that extra layer, which we'll talk about a little further here.

Marie Joseph: So as I was mentioning briefly before, MFA could potentially stop an account from being fully compromised by a threat actor gaining access to your data due to adding that one extra layer of security of having more than just a password. So some of the other reasons MFA is important are listed here. MFA reduces the risk of unauthorized access, it protects against password related attacks, it safeguards sensitive data and systems, and it mitigates the impact of compromised credentials. So that's just a few of them listed that we thought were important and I want to emphasize a study that was done on Google account users that had MFA enabled on their accounts. It was found in a study that MFA blocks 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks on users' Google accounts. So this means that the extra layer of security prevented some of the most common automated attacks by adding one more barrier a threat actor would have to crack in order to gain access to your information. That second layer is typically something easy for you to know, but harder for an attacker to figure out.

Marie Joseph: You typically hear a lot of excuses of why people don't want to use MFA. So we kind of wanted to list a few of those just for fun. You hear them in your everyday life I'm sure with personal accounts and just in your business in general. So one of the big ones is we cannot afford it and the constant maintenance is too much for our staff. Another one is it is annoying and takes too much extra time to use more than one factor to gain access to the information. Possible security gaps and limitations to make it hard to implement into our everyday lives. Employees do not want to do it. Often you get a lot of pushback. So you will also probably hear a lot of complaints from people that it's just too much work to spend that extra five seconds doing it. And the most common one is that single factor authentication does the trick. People think nothing has ever happened to them, so the chances of it happening are so slim until it really does happen to you. So there always is that possibility that it will happen to you one day. Looking at the statistics we were talking about earlier, there's been billions of passwords compromised already. So there is that chance that you have been compromised already and don't even realize it. I keep mentioning the word factor and some of you might be wondering what that really means.

Marie Joseph: So there are four factor types that can be used kind of as a second key to go along with your password or whatever other form you're using to gain access to your accounts as of now. So these are the following. The first one is knowledge or something you know. This is probably the most common to everyone and examples for this include your password, a pin, or your dog's favorite treats. The second one is possession or something you have. Examples of something you have are usually physical such as a device like a token or a one- time pin or just your phone. The third is inherent or something you are. These are things that are a part of you like your fingerprint or your voice or your face. And then lastly is just the simple category of other and that includes things like your location or time.

Marie Joseph: Now that we know the four factors, we can talk about how they are deployed. Some examples of how we typically see this in our everyday lives are listed here. So SMS and email codes. These are one- time passwords that will come through in those forms and they often last several minutes. Then there's authentication apps. This is probably one of the more common ones that people might see. There's a lot of vendors out there that have these. You click on the app and then it gives you a code that lasts about 30 seconds that you have to type in to access your account. And then the other one is hardware tokens. This is kind of similar to your phone except it's just its own other device and this also gives you a code that lasts about 30 seconds and it's really nice to have when you don't have access to your phone or cellular service. Other ones not listed would be things you probably use every day on your smartphone. These keep your device locked and encrypted. So this can be just your password that you use, which is like a number, word, or a passphrase or what is more common these days are the biometric factors like your face or fingerprint that are used to unlock devices.

Marie Joseph: Now I'll pass it on to Christina.

Christina Annechino: All right. Great. If you could step back to the previous slide for how MFA works.

Marie Joseph: Yeah. Perfect. Sorry.

Christina Annechino: You know how. Sounds good. So we've heard a bit about what MFA is some statistics as well as some of the factors. Sorry, Marie, just for how MFA works.

Marie Joseph: Oopsy. Yeah. Let me go back. Well, there it is.

Christina Annechino: Sounds good. Yeah. All right.

Christina Annechino: So now we're just going to get into basically how MFA works. So we're going to start with the first step, which is a login request. So the user or employee has provided their unique credentials that verify their login. The username and password are sent to the server and checked against what's been saved in the database. So if those two pairs of credentials match, the user or employee will need to further verify their identity since access hasn't been granted yet. So moving on to the next step, you're then prompted to enter the second factor. So depending on what was chosen, from what Marie said, an example of something you have, let's say a one- time password, you're going to open your authenticator app and enter the dynamically created six digit pin. Only after the correct pin has been entered will access be granted. So I know it's not mentioned here in the diagram, but just to highlight a third step for highly privileged access, there may be a third factor utilized for user verification. This will vastly reduce the chance for account compromise since there are three distinct separate authentication methods that must be successful before login, but really this should be only used for highest level security.

Christina Annechino: So moving on to the next slide, we're going to talk about some real world examples of MFA. So online banking, email services, and corporate networks, these are three of the largest representations of where MFA is highly prevalent, but of course there's a bunch of different other representations of where MFA is utilized. So first we're going to go through online banking. There's been a known shift to internet- based banking and e- commerce. The number of digital banking services and system access points have expanded due to mobile banking and this is opening a new area for hackers to compromise systems and exfiltrate data. So stated by the FFIEC, for those of you who don't know, the Federal Financial Institution's Examination Council, mouthful I know, in a document created to provide financial institutions with effective examples of risk management for access and authentication, the use of single factor authentication as the only control mechanism for digital banking services is plainly inadequate. So to prevent unauthorized access that leads to a hacker changing system configurations, stealing sensitive banking information, and/ or moving laterally within the network or system, MFA has been a prevalent solution. MFA is paired with other controls such as user timeout and transaction account limits for a complete layered system of security. Each control enforcing a stronger barrier against unauthorized access. Financial institutions only enforcing single factor authentication are at a higher risk of data theft and destruction, customer account fraud, and identity theft. So this goes to show that when you use MFA for your work accounts and for your personal accounts such as banking, you're applying a security best practice for all avenues where data should be protected. So moving on to the next, email services. One instance where protecting email login is pivotal is when the same account is used for gaining access to a password manager. This becomes an even larger access point for attackers if MFA is not enforced but on a company's email accounts to gain access to another system where data is stored. MFA can be configured through a company's current email provider and enforced through an admin console controlled by a highly privileged user within the security team. So enabling MFA will protect accounts credentials, but it's also important to think about other ways of protecting data to transfer through other email communication as well. So for instance, setting up email encryption is another added protection for emails that ensures secure transfer. Finally, moving on to corporate networks. With the rise of remote working came the expansion of corporate networks and with the network expansion it is important for admins to have complete control over access to company devices, ensuring there's always a secure remote connection enabled. MFA can be used to authenticate remote connections, acting as an additional layer of verification, creating stronger assurance for the type of connection.

Christina Annechino: So moving on to the next slide, we're now going to talk about where should MFA be used. So basically any applications and systems that involve user authentication, particularly important for applications that have sensitive data or users with administrative access. So multifactor authentication is a general best practice for all data communication involving sensitive information.

Christina Annechino: Moving forward, we're now going to talk about choosing the right MFA method for your needs. So things that you want to consider and evaluate is user convenience. So what's going to be most applicable for your employees as well as your company? Security requirements. So what you have already stated in your policies as well as any compliance requirements as well. Cost and scalability, that's definitely going to be a big contributor as well. Cost- effective. If it's not cost- effective, it's not going to be too great. So definitely make that a part of the consideration and just making an overall informed choice. So evaluating all of these things and just making sure you're choosing the right MFA solution. So what Marie mentioned previously, some of them can include an app- based authentication. You can set up mobile push notifications with number matching. A token based one- time password. Something else to note, authentication via an app or a token based one- time password or mobile push notifications with the number matching are some of the best options for small to medium- sized businesses that cannot immediately implement phishing resistant MFA, which is something I'm going to be talking about later. And then one more thing to note for SMS. This really relies on security of the current mobile network. So it should serve as a temporary solution, one transitioning to stronger MFA implementation for your company.

Christina Annechino: Okay, great. I know that we talked about the importance of MFA and the benefits of MFA, but we'd also like to highlight some limitations. So MFA cannot protect against an employee's email that was targeted first. So if MFA was not enabled on a company's email account, it's more susceptible to compromise as well as other accounts that that primary email is used for gaining access. Security of MFA is reliant on email account security. So the next is intercepted SMS message that contain a one- time use pin. Not encrypted. So SMS really, as I mentioned previously in the last slide, should be used as a last resort or just not the first option. The next is weak user generated passwords or user error. And if there are certain cases where a password manager is not utilized for an account sign- in, there's a chance that a potentially weak user generated password might've been created. So just to be aware of that as well. And then finally, depending on relevancy, the compromised biometric data, this can be difficult to change and/ or reset. So if this is compromised it can potentially be detrimental.

Christina Annechino: Moving forward, I'm now going to talk about how MFA can be compromised because it can. So first off is social engineering. We're going to dip into phishing attacks. So tactics that have been used for phishing include sending SMS messages, emails, or even phone calls that either prompt a reset for a highly privileged user account or mislead an employee to reveal their authentication codes. This is easier after already deploying a phishing attack to obtain those account credentials. So an example of this can involve the impersonation of a legitimate employee or a trusted service like Adobe or DocuSign. The victim would click on the malicious URL and then be redirected to a page set up as a reverse proxy to capture all information within the form, MFA details included. So phishing attacks can actually also lead to MFA fatigue. This can potentially proceed a phishing attack once they've successfully stolen privileged credentials. The attacker would then begin to send a multitude of 2FA push notifications, which would bombard the victim with the intent to wear down their resolve, getting them to eventually verify their identity by entering their MFA. The attacker would then have an initial foothold within the target company's environment. So to combat these, it's really important to just remain educated and complete security awareness trainings as well. So next here I have the SIM swapping. This is done by using phishing techniques or reviewing social media to collect PII. An attacker can then convince a cell phone carrier to switch the mobile number of their target to a SIM in their possession. So you may think that this isn't an issue, but from a recent FBI report in 2021, there were over 1600 complaints of SIM swapping that led to 68 million in paid demands. Just in that's huge. Just another note, this attack is specific to companies that use SMS as their 2FA. So next I'm going to mention potentially this is just something to be aware of. Faulty 2FA applications and an untrusted authenticator app can be extremely detrimental to an organization. In 2022, Google Play pulled an authenticator app titled 2FA authenticator that had over 10, 000 downloads in 15 days. This app was a Trojan dropper, acting as a malicious program, which was used to install malware on unsuspecting user mobile devices with the purpose of stealing banking information by targeting financial services. So how did this app remain on Google Play? Its developers use an open source code of an official authentication app allowing it to disguise as a legitimate authenticator. So note for this, beware of the free authenticator app as well as one that you're not familiar with. And finally I'm just going to mention malware. So users who install applications on their devices that aren't well known or verified can unintentionally jeopardize their data and device security. So hackers that create a malware as a service can distribute fully functional malware on a broader scale to more targets. So definitely need to be aware of this. Finally, so after mentioning all of this, the strongest recommendation to combat MFA is going to be phishing resistant MFA. So CISA, the Cybersecurity and Infrastructure Security Agency, strongly urges all organizations to implement phishing resistant MFA as a part of their zero trust architecture, which is a strategy to ensure network users to be authenticated and consistently validated. So whether this is something you would like to consider or not, really definitely further interest would be beneficial since this is the most secure form of MFA protection. And moving forward.

Marie Joseph: Awesome. Yeah.

Marie Joseph: So jumping back into things, we want to leave you all with some of the best practices when it comes to implementing MFA and possible ways to emphasize the importance of it to your fellow peers on an everyday occurrence. So the first one listed here is choosing the right MFA solution. It is important to evaluate MFA providers based on your organization's needs. There are plenty of vendors out there with different features and cost so it is up to you to evaluate which one will work best for yourself, your employees, and your customers. Another one is integration with existing systems. So highlighting the importance of seamless integration into your everyday life is super important and at work it's important to your peers since they'll be using that every day at work. And then it also, with configuring this feature, it can be simple, but it is important to reiterate how important it is of why you're turning it on at your organization and why you should be using it every day to hopefully have less pushback. And then lastly, policy development and enforcement. Having clear MFA policies and consistent enforcement creates a habit and continues to emphasize the importance of MFA. That's also kind of why it's important to possibly use it in your personal life every day as much as you can because it does create that habit and then bringing it to work just makes it a lot easier. This is particularly important too with the policy wise thing for business purposes and from that standpoint. Most compliance audits make MFA a requirement and so do cyber insurers. So if you're trying to get any good coverage with insurance, MFA is the first thing they're going to look at. So that is another reason why it's just important to emphasize and implement this from the top down. Start with your higher up peers and put it all the way down to some of your newer employees.

Marie Joseph: And then lastly, I want to talk about that there are plenty of benefits when it comes to using MFA. So I want to reiterate a few of the things we mentioned throughout the presentation today. An account becomes more secure with MFA enabled. Having those two walls of defense or more is always better than having just one. Second, an account is more secure with the use of two different factor types. So we talked about those four types. So it is good to use a combination of knowledge, possession, inherit, or those other factors. So for example, something you know like a password and then something you are like a fingerprint. So having the combination is better than having two passwords or two use of the inherent, so your fingerprint and your face. So better to have a combination to make it a little different to make it more secure. And then lastly, MFA helps to minimize the attack surface of your accounts. The extra layer of security makes automated attacks more difficult and gives one more preventative measure. This is really emphasized by some of the studies and real life examples we talked about earlier. And it is important to know that nothing can be 100% secure, but the mechanisms you implement can at least minimize the possibility of them occurring.

Christina Annechino: Definitely. So to recap everything we just discussed, we highlighted what is MFA. Went through that. The factor types as well that Marie mentioned, as well as how does MFA work, going through the steps of that process. Evaluating MFA to meet your needs. Limitations and risk of compromise, highlighting that just for your awareness and knowledge. As well as the benefits and best practices for MFA. So with that, we're going to pass it back on to David and Jira and if there's any questions, please feel free to add them.

Marie Joseph: I'll let you share.

Jara Rowe: Thank you so much Marie and Christina. As David begins to share his screen, there are just a couple things I forgot to mention earlier. We do have some resources down in the resource tab about multifactor authentication for you all to be able to enjoy later. And also, like Christina was just mentioning, in the Q& A tab, if you have any questions to ask Marie, Christina, or even David after the presentation or demo of Trava, please go ahead and use the Q& A tab for that and we have time to do that as soon as David shows us the demo. All right, David. Your go.

David D'Apice: Awesome. Thank you. All right.

David D'Apice: Well hi everybody. I'm here to give you guys a little bit of a walkthrough of the Trava platform and more specifically our MFA scan. So for those of you that don't know, Trava is a cybersecurity platform that offers a suite of tools including scanning systems to give you an insight on your current cybersecurity standing and we offer a new scan that's called the MFA scan. So the MFA scan was introduced about two months ago into the platform and it's specifically geared towards users that want to have a better understanding of their MFA enforcement and compliance standings across their organization. So here I'm going to show you as we go through, you can click on the vulnerabilities tab in the platform and then you would go through to start an assessment like they would with any of our other scans that we offer. And as you scroll down, you'll see that the MFA scan is showing up under our internal offerings because it does require a little bit of internal setup in terms of a service account to be able to actually interact with the different providers that we offer. And the different providers that we support scanning against is Azure, Google, and Okta. Now Azure, Google, and Okta are three of the kind of industry standard providers. So we wanted to make sure to include those in the scan. Here you can see that they require different configurations depending on which provider that you're going to be using. So once you select the provider that you would like to use, you can click on the where are my credentials button and this will actually download a step- by- step PDF guide, walking you through the setup process in terms of how to set up that service account and walking you to all the information that we're going to need to be able to run that scan.

David D'Apice: But once you have all that information entered, you can go in and click on the save MFA account button and this will actually add that configuration to your assessment and then you're ready to go, you're ready to run the scan. And just a couple things to note about this. We do actually support multiple different providers and organizations configurations to be added to this scan in a single assessment. So let's say you use two different providers, Google and Okta, across your organization, you can add both of those into this and they will both be scanned against the same assessment. So that way you can kind of consolidate your scanning a little bit if you'd like to. And then on top of this, the MFA scan also operates just like any of our other scans do in terms of the scheduling. So if you are creating a scheduled assessment and you'd like to add an MFA scan to your scheduled assessment, you can do that and it will run just the same as all of our other scans would. If you want to run it on a certain cycle like once a week, you can do that as well.

David D'Apice: So the scan itself is a pretty quick scan. So it will execute pretty quickly, but I have a previous one here that I ran just to show you guys kind of what the results look like and walk you through what we specifically look for in the MFA scan and what kind of vulnerabilities you might expect to see. So we break it down into three main vulnerabilities that we look for during these scans and that includes users without MFA enabled and this is going to probably be your most common vulnerability that you would see from this scan. So this will specifically point out the affected user and the affected user ID there for you. So in the results you would see user without MFA enabled and then if you go down into the details itself, you can actually see the username and the user ID of maybe who you would have to go talk to get them to enable MFA. And then we kind of have a subset of this vulnerability that we also include, which is administrators without MFA enabled. Again, we look through all the users in the organization and check which ones have MFA enabled and we specifically call out administrators at a higher level vulnerability because the administrators, again, they have higher level privileges across the board. So we want to make sure that they are definitely implementing MFA and making sure that they're secure. They're more prone to attack so we want to make sure that they're covered. In terms of the second vulnerability that we really look for in this scan is that MFA is not enforced for all users and administrators. So this is kind of a blanket vulnerability that we will throw out, but it's very important where if we notice any users that don't have MFA enabled or if we scan through all of your policies and we check and if there's any policies that do not enforce MFA, that is something that you're going to want to probably address to make sure that that way you can ensure that everybody's using MFA across the board. So this one's very helpful to just have a good idea of your standing at any one point. And then finally, the last vulnerability that we specifically look out for is weak MFA methods. So as we just learned, SMS is a common weak MFA method that is prone to different attacks like SIM swapping. So we want to make sure that we're looking in your organization to make sure that you're only using strong MFA methods. So this is a lower level vulnerability because it is still good to have MFA enabled, but it would be better to have a stronger method enabled. So in the details here as you can see, we have two pieces of information that are very helpful to point you in the right direction of where you need to fix that. So we give you the users that are affected by this, but more importantly, we also give you the target policy. So this is the policy in your organization that is actually allowing users to enable that weak MFA method. And so that will give you the correct direction and point you in the right way that you got to go to actually update that to make sure that we're only using strong MFA methods across the organization.

David D'Apice: And that's pretty much it. So I am going to pass it back over to everybody. Let's see here. There we go. I'm going to pass it back over to Jira.

Jara Rowe: Fantastic. I've learned so much from you all. I appreciate it. So if anyone has any questions, please feel free to drop it in the Q& A. You can ask David anything about the product or ask Marie and Christina anything about MFA or honestly, cybersecurity in general.

Jara Rowe: There is one question. We learned about authentication apps earlier on, and Christina, you talked about how there are times where they're not really legit. So how would someone go about verifying that this is a legit authentication app?

Christina Annechino: Yeah, definitely. So making sure that you're using a trusted well- known authenticator app as well as going to your head of your security team to confirm that this is an app that you should be using and just making sure that, before download, that it's something that is verified.

Jara Rowe: Fantastic. All right. And

Jara Rowe: then another question. How can we as users stay up to date with different MFA things in general?

Marie Joseph: There's honestly plenty of resources out there. Typically, you can find different newsletters that will probably give you access, like different security newsletters. And then also just if you have some internal security help at your company, always good to ask them what's the latest, what's up with that? And then also a lot of times you'll see softwares and different tools that you use currently where they'll have some sort of push notification out where they started to enable MFA and they'll often list some sort of resources of why they're doing it and which apps they recommend using if that's the way they're doing it, but there's a lot out there. Not sure if anyone else has anything they want to add.

Jara Rowe: All right. Fantastic.

Jara Rowe: And just as a reminder to everyone that this is just part one of our series. October is cybersecurity awareness month. On Halloween actually we will be back talking about phishing attacks. So you can join us then as well. And if there's nothing else to add, then we will give you extra time back in your day. Thanks for join-