The Need for Phishing-Resistant Multi-Factor Authentication
This blog post is the first in a series of posts that focus on the growing incidence of credential phishing and how Okta can help organizations of all sizes in implementing phishing-resistant multi-factor authentication.
Credential phishing, the practice of tricking users into revealing sensitive personal information such as authentication credentials for a business application, is one of the most prevalent forms of identity-based attacks on the web today. Security companies and adversaries continue to play a cat-and-mouse game in which new security techniques are countered by newer and more ingenious attack vectors.
For instance, signature-based email security tools that rely on scanning several elements such as sender address, subject, copy, and signature are being bypassed by polymorphic phishing—an attack technique that relies on changing these elements constantly to evade detection.
Detection mechanisms that identify fake or spoofed domains by examining whether or not they use TLS certificates are being thwarted by malicious actors who set up fake domains that use HTTPS via free TLS certificate providers such as LetsEncrypt.
Organizations using Multi-Factor Authentication (MFA) as an added security measure report a rise in MFA-specific phishing attacks that have evolved to target not just the first but also the second factor.
Most organizations are investing more in user awareness and training users to spot phishing messages and identify fake domains. However, given the prevalence of sophisticated techniques in modern attacks (registering domains with Cyrillic letters instead of regular ones, for instance), it’s extremely likely that some employees will fall for the attack and click the links to the malicious domain.
This blog post focuses specifically on the significance of phishing-resistant MFA as a countermeasure to rising sophistication in phishing attacks and underscores the importance of hardening traditional two-factor authentication (2FA) mechanisms to make them phishing-resistant by using authenticators with higher assurance levels.
How modern credential phishing attacks work: the adversary in the middle
In the past, credential phishing attacks followed a trend—adversaries would recreate static, HTML templates of login pages for mission-critical applications, send links to these fake pages to victims, and log the credentials entered, either for mounting personal attacks or selling on the dark web. 2FA was able to block such attacks with an SMS-based OTP, for instance, which would then thwart the attack.
But in the recent wave of sophisticated phishing attacks that Okta has observed, we’ve seen adversaries move away from static templates to reverse-proxy-based frameworks to set up a proxy between the real site and the fake site and mount real-time, adversary-in-the-middle (AiTM) attacks. These frameworks allow clients' requests to pass to another server. This lets the framework act as an AiTM agent, effectively intercepting all requests from clients, modifying and forwarding them to another server. It can then intercept the server's responses, modify them, and forward them back to clients. This setup allows threat actors to capture credentials sent with POST request packets and, upon successful sign-in, capture valid session cookies sent back from the proxied server, which can then be used for SSO into the real domain.
One example of such a framework is Evilginx, an open-source tool freely available on the web. Evilginx is a standalone AiTM reverse proxy. It captures the credentials and session token from an MFA session and can then be used to replay the stolen credentials to bypass MFA. Here’s a stepwise example of how such an attack might work:
- The threat actor downloads and configures Evilginx–a reverse proxy attack framework for mounting AiTM attacks.
- The adversary sets up a fake domain and uses a free service such as LetsEncrypt—a free TLS certificate provider to portray the website as a legitimate and secure website.
- The adversary sends out a phishing message to the victim via email or text.
- The victim clicks on the phishing URL and is provided with the fake app login screen on the registered domain.
- The victim enters a password and is prompted for the second factor.
- The victim authenticates and Evilginx captures the session cookie that is generated after 2FA.
- The victim is redirected to the redirect URL and wonders why the auth didn’t work.
- The adversary has captured the credentials and session token and uses them to log in to the real website with an MFA bypass. Sensitive data and applications can now be compromised.
Traditional MFA and phishing-resistant MFA
It’s important to note that traditional 2FA/MFA still remains an effective form of protection against many forms of credential theft because:
- It limits what an adversary can do with a stolen password, and
- Creates numerous detection opportunities when an adversary attempts to bypass it,
However, these traditional mechanisms that rely on SMS—or email-based OTPs, push notifications, et al.—have one crucial gap; they cannot distinguish between a legitimate domain and a malicious domain. To do so, phishing-resistant MFA is crucial for preventing attacks such as the AiTM scenario outlined earlier. So, what exactly does phishing-resistant MFA involve, and how is it more secure than 2FA?
The National Institute of Standards and Technology (NIST) has published Special Publication 800-63B, which articulates technical requirements for federal agencies implementing digital identity services and helps define phishing-resistant MFA. The key phishing-resistance attributes identified in this publication include:
- Verifier impersonation resistance using cryptographic binding between authenticator and user identity
- Replay resistance via OTP devices, cryptographic authenticators, and look-up secrets
- Verifier-compromise resistance by ensuring that any public keys stored by the verifier are associated with the use of approved cryptographic algorithms
- Authentication intent that requires the user to explicitly respond to each authentication or re-authentication request
In simple terms, for an MFA mechanism to be considered phishing-resistant to AiTM attacks, the authenticator used should be cryptographically bound to the domain and be able to distinguish between the real domain and the fake domain generated by the attacker. This way, the mechanism can immediately stop the attack so that the attacker cannot capture the credentials or session cookie and replay them. An authenticator is something an end user possesses and controls, such as a PIV Card, a password, a Yubikey, etc., and uses to authenticate to an account.
The NIST publication also offers several useful guidelines for defining Authenticator Assurance Levels (AALs). These guidelines compare the strengths of different authenticators and provide tips on choosing authenticators with high degrees of resistance to phishing and other forms of identity theft.
The table below provides an overview of the pros and cons of various authenticators supported by Okta with their assurance levels.
Authenticator types supported by Okta
|
Assurance level |
Authenticator |
Pros |
Cons |
|
Low |
Password |
|
|
|
Low |
Security Question |
|
|
|
Low |
SMS, Voice, Email One-time Password (OTP) |
|
|
|
Low |
Mobile/Desktop One-time Password (OTP) Apps
Examples: Okta Verify OTP, Google Authenticator, Authy |
|
|
|
Medium |
Mobile app push notifications
Examples: Okta Verify with Push |
|
|
|
Medium |
Physical token One-Time Password (OTP)
Examples: Symantec VIP |
|
|
|
High |
Okta FastPass |
|
|
|
High |
FIDO 2 Platform authenticators ( Apple Passkeys, Mac Touch ID, Android fingerprint, Windows Hello) and Passkeys |
|
|
|
Highest |
Personal Identity Verification (PIV)/ Common Access Card (CAC) Smart Cards |
|
|
|
Highest |
FIDO 2.0 Hardware-based security keys Example: YubiKey
|
|
|
What if the attacker targets endpoints?
Some phishing attacks rely on payloads that deliver malware or ransomware to take over accounts and devices and hijack credentials and sessions. To address such endpoint threats, Okta has partnered with leading endpoint protection and management providers like VMware and CrowdStrike. The integrations deliver device-risk signals into the Okta Identity Cloud to unlock more secure, seamless access across endpoint ecosystems.
Okta’s credential-phishing-resistant capabilities
Okta offers end-to-end, identity-centric, phishing-resistant authentication that supports all user personas, from business partners to an extended workforce, and works at scale for organizations. These include:
- Phishing resistance with Okta FastPass (stay tuned for more exciting announcements on this at Oktane 2022)
- Support for FIDO 2 standards with WebAuthn
- Support for PIV smart cards
Okta’s solutions integrate with any device management tool to enforce phishing-resistant authentication flows. Okta also offers support for adding device checks to authentication policy rules for admins to establish minimum requirements for the devices that have access to systems and applications in the organization.
To learn more about how Okta’s solutions can help you protect and enable your employees, contractors, and partners, go to https://www.okta.com/fastpass/.
