The Dark Side of MFA

Have you every met a person who has invested in a four-wheel-drive vehicle and became a poor driver because of it? An acquaintance was taking me for a drive in his new SUV on a snowy day and was driving quite dangerously. “Don’t worry, it’s four-wheel drive”, he told me. I was thinking, “yeah, but 4WD doesn’t help you stop.” He assumed that the added traction and driver assist systems in his new ride meant that he could drive like a maniac in inclement conditions. He was confident that the technology would overcome his mistakes. His vehicle was in the body shop before then end of the first month.

I have observed MFA (Multi-Factor Authentication) causing a similar false sense of security. StuxNet jumped an air gap, Heartbleed crippled the world’s routers, and Specter attacked CPUs themselves, any single security measure can be subverted. There are more weaknesses than there are people or man-hours to fix them. Security works best when it is applied in layers, relying on a single solution is likely to land your network at the business end of a security event.

There are several methods that can be employed to beat MFA, just Google, “Defeat MFA.” One of the most effective is the good ol` man-in-the-middle. Evilginx2, who’s logo graces the top of this article, is a standalone pre-packaged MITM proxy server complete with instructions. Of course, Evilginx was designed to be a demonstration and to help security experts understand how these attacks work, but it is fully functional and could be used for evil (see what I did there).

Multi-Factor-Authentication is a tool that can be added to your security strategy, not an all encompassing security solution. The tendency to let your guard down after deploying a new security measure like MFA can be a costly mistake. I wouldn’t ease up on the password requirements just yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s