Is multi-factor authentication enough?
September 03, 2021 by Huw Evans, Cybersecurity Advisor
What is multi-factor authentication?
One of the most common risks when remotely accessing a network or cloud services are user account breaches. When remote access logins only require a username and password, the traditional method of preventing account compromises is to add multi-factor authentication (MFA). MFA requires:
- Something you know, like a password
- Something you have, like a token number, smartphone device for one-time passwords, or authentication apps
There are many forms of multi-factor authentication, and some are more secure than others depending on the account. For example, one-time SMS or email passwords can be captured more easily than authentication apps such as Google Authenticator or Okta. As MFA is adopted by more organizations, attackers are targeting these multi-factor authentication methods. This is resulting in more user account breaches where attackers are successfully capturing the MFA SMS messages or emails.
How can you defend against MFA attacks?
To mitigate against account and MFA breaches, you should consider adding additional requirements validating a connection request is from a legitimate user and device. Some validation requirements to implement can include:
- Validating the location of the connection request. Where is the connection request coming from?
- Validating the type of device the connection request is coming from. What type of device is the connection request coming from?
- Validating the normal time frame a connection request should be made (e.g., business hours, weekends, or evenings). What is the time frame of requests? (During business hours, weekends?)
- Validating only certain types of devices (organization-owned or personal).
- Validating the device only if it’s in good health.
If an attacker can obtain valid user credentials and a compromised multi-factor token to log into a network, a combination of these additional requirements must also be satisfied before the attacker can gain entry. In many cases, overcoming these additional requirements can be so cumbersome an attacker will simply move to an easier target.
What is conditional access, and why should you use it in addition to MFA?
Additional measures to ensure any user logging into a remote access solution is doing so from a known network or approved device is called conditional access. Many existing cloud applications and remote access solutions already have conditional access capabilities including:
- Microsoft 365 applications and login portals
- Remote Access Client VPN
- Remote Access Citrix or VMware VDI Portals
- Infrastructure as a Service (IaaS) login portals
- Desktop as a Service (DaaS) login portals
- Many other cloud applications (SaaS)
Conditional access requirements are set by the cloud application or remote access administrators. They are made up of a set of technical rules a device is checked against, which must be satisfied before a connection is allowed. Some examples of conditional access rules require devices to:
- Connect only from the IP address range of an organization’s network
- Connect only from a user’s home ISP address range
- Connect from a vendor’s external IP address range
- Connect only from known Geo-IP regions (such as U.S. only or U.S. & Canada)
- To only allow connections from certain types of devices (Windows 10, iOS, Android)
- Only from devices with a valid on-premises Active Directory domain computer account
- Only from devices with an organization-installed certificate added
- Only within a specific timeframe (during business hours 8 a.m. to 6 p.m., Mon.–Fri.)
- Only from devices that have their operating system and applications patched up to date
- Only from devices with anti-virus enabled, and virus definitions are up to date
- Only from device with their firewall enabled
- Only from devices with an organization added file or hash added
Ideally, more than one rule should be used to ensure devices connecting are known devices, in good health, connecting from a known network, and can be identified via additional methods such as:
- Only from the IP address range of an organization’s network
- Only from devices that have their operating system patched up to date
- Only from devices with a valid on-premises Active Directory domain computer account
OR
- Only from known Geo-IP regions (such as U.S. only or U.S. & Canada)
- Only from certain types of devices (Windows 10, iOS, Android)
- Only from devices with anti-virus software enabled and current virus definitions
- Only from devices with an organization-installed certificate
It’s important to utilize only a few rules and to avoid implementing rules that cannot be met. For example, if a remote access solution is used to allow vendor access into a network, then implementing a rule such as “Requiring a valid on-premises Active Directory domain computer account” would not permit a vendor to connect. In this case, it would be preferable to require a combination of different rules to support vendor connections that are often not on-premises. These rules can include access:
- Only from a vendor’s external IP address range
- Only from certain types of devices (Windows 10, iOS, Android)
- Only from devices that have their operating system patched up to date
- Only from devices with anti-virus software enabled, and virus definitions are up to date
Adding conditional access requirements can greatly enhance the authentication process of both cloud applications and remote access methods. Requiring both user and device authentication is an effective method of mitigating user account breaches. Sophisticated password attacks use many automated and scripted methods from unknown networks and devices, often launched from diverse global locations. Adding conditional access requirements can greatly enhance the authentication process of both cloud applications and remote access methods.