Why FIDO2 Is the Answer to Better Security
A groundbreaking increase in security incidents is affecting governments around the world. In light of this, the United States issued a formal order to implement a robust set of security measures designed to improve the security of federal systems. In his most recent executive order, President Biden acknowledged that the United States and many other governments around the world are facing increasing malicious cyberattacks. In order to prevent, and recover from security incidents, the President is pushing to significantly improve the government's security stack, including the implementation of multi-factor authentication (MFA). In this post, I'll discuss how the government's plan to leverage MFA could be even better.
The state of security
In the past six months, we've seen a substantial increase in headline-grabbing security incidents: Solarwinds in December 2020, Microsoft Exchange vulnerabilities in March 2021, and most recently, the DarkSide ransomware attacks. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) released an alert on the exploitation of Pulse Connect Secure Vulnerabilities drawing attention to the growing problem of increasing security threats.
Based on the latest Verizon Data Breach Investigations Report, we know that more than 80% of data breaches involve stolen or compromised user credentials. This approach to data theft seems to be the attack vector of choice for cybercriminals because it allows them to gain a foothold into the victim's network. Once a bad actor enters the system, they can move laterally to find targets of interest or drop malware and ransomware.
As is true in most cases, it's harder to clean up this kind of mess than prevent it in the first place. For the companies and agencies that have been affected by ransomware or malware, removing the threat and building up security is time-consuming and costly. Governments around the world understand this and are now doubling down on security tools, including MFA.
A barrier to entry?
Adding MFA to workforce logins can significantly protect against bad actors taking over employee accounts. This barrier to initial entry reduces the risk of data breaches and minimizes the risk of being crippled by ransomware or malware.
But not all approaches to MFA are created equal. As we saw in last year's Twitter attack, determined attackers can use a combination of social engineering and fake login pages to dupe employees into giving up their usernames and passwords.
As I described in this recent blog post, standard push MFA, for example, can be bypassed. Similarly, one of my threat research colleagues wrote about how UK bank customers had their bank accounts compromised by attackers who compromised SMS-based MFA.
A better method of defense
The security solution to enhancing MFA to ensure that it cannot be bypassed is FIDO2, an industry standard managed by the FIDO Alliance. In basic terms, it works by making a cryptographic connection between the authentication attempt and the MFA challenge. That means attackers can't use stolen or compromised credentials or dupe users into entering their credentials into a fake login page. This method makes it virtually impossible to compromise MFA.
Building on the executive order to further secure systems by employing FIDO2 is good policy. Standard push MFA has gaps that can allow bad actors access to an arsenal of sensitive information. Given everything that's happened the past six months, our barriers to entry need better security than we've ever needed before.
To learn more about our frictionless and phish-proof MFA solution, or to try it out yourself, visit www.akami.com/mfa.