MFA is Better than Passwords… Right? – Roger Grimes, KnowBe4

[00:00:00] Roger Grimes: I give a lot of seminars on hacking MFA and when I show people how easy it is to hack MFA, there's not an audience where the mouths aren't dropping. And they're, Oh my goodness. And not only this, but the US government has said don't use these easily phishable forms of MFA, anything, SMS based, push based, anything that asks you for a one-time code. I mean that literally describes 90, 95% of MFA used by people. And let me say, does anyone think that any government organization is on the cutting edge of cybersecurity policy? You know, they're not.

[00:00:35] Andy Still: Welcome. Welcome. Welcome back to the cybersecurity sessions, our regular podcast, talking about all things cybersecurity with myself, Andy Still CTO and co-founder of Netacea the world's first fully agentless bot management. This time, we're discussing some of the challenges around authentication of users.

Speaking personally, my day job is building tooling that among other things will protect systems from automated attacks to compromise accounts can personally validate the up to 95% of logins on some systems are malicious. Uh, one of the solutions that's often held out as the magic bullet to solve this problem is multifactor authentication, MFA.

We've probably all experienced MFA in some form, whether it's getting an email or a text message to validate a login. Oh, one of the other more complex. They're are out there there are whole full range of different solutions, some more secure than others. So explain more about the different approaches.

we're joined today by Roger Grimes, who literally wrote the book on security weaknesses in MFA. Welcome, Roger. Great pleasure to talk to you today. before we start, do you want to quickly introduce yourself for our listeners?

[00:01:39] Roger Grimes: Sure I've been doing computer security for 34 years. earned all of these great hairs. I've written 13 books, probably 1200 magazine articles, and I think probably 50 to a hundred articles and multi-factor authentication. And I did write a book called Hecky multi-factor authentication. I'm not sure if I'm a world expert, but I probably have pretty good insight into the good and the bad and the ugly of.

[00:02:02] Andy Still: I think you certainly know more than well than a lot of people out there. , I think MFA is often kind of held up as a silver bullet solution to protecting online credentials. Do you want to give us some background on how MFA has ended up having that, air of ultimate trust?

[00:02:17] Roger Grimes: Yeah.

You know, I think ultimately it's logical to think that, well, if I have to provide one form of authentication, which traditionally would be a login name and a password. So if I have to provide one type of secret my password to prove that I'm attached to this identity account, that if you ask me to provide multiple.

Different types, you know, the something you are, something, you know, something you have type thing that it seems inherently logical that it's harder for an attack. To compromise two or more factors. And it Is one factor. I mean, so theoretically it.

is harder for that. And, uh, and so I think it's made sense to us for decades to go, Hey, we need to get people off of , just using a password and go to something more secure called MFA.

But I think the theory is this one thing, . And what I noted was in practice. It's far weaker than most people think. and that's kind of a problem is that everybody that uses MFA, if I was to interview them, they go, oh yeah, I think this protects me a lot more.

I've been told, this stops me from being as easily phished And the reality is that for 90, 95%. of it I can bypass it as easy as if it was a password. so for the vast majority of use, it really isn't as secure as most people think, but they think it is. And so that in itself presents.

a problem

[00:03:35] Andy Still: I think that, up with people thinking, oh, I've got MFA. I don't need to worry about it. And do you think part of the issue is that MFA is not one thing is that there's, there's plenty of, variations of it. And I think. it's second factor of authentication, is it the case that that's kind of been watered down over the years to being from, something you physically hard w w used to have those kinds of separate tokens and things like that to be a lot more loosen.

and is that kind of where the weaknesses of have started to come with MFA?

[00:04:04] Roger Grimes: Yeah.

I mean, I think that's part of it that it's watered down, but sadly. Kind of coalesced the most popular stuff that people are using or using the weaker stuff because we're humans. And even when we moved to something more difficult, we want to move to the least more difficult thing. And so, interestingly enough, 20, 30 years ago, there were MFA salute like smart cards and RSA secure IDs and stuff were actually more secure.

then most of the stuff we're seeing today, even RSA secure ID, 30 years ago so the RSA secure ID might've been, one of the more common forms people saw youth this little device and it has this six digit, one-time password. They call it that you tight.

Well, early on, when I use that decades ago, before I typed in that digit, I would have to type in a four digit code that was static and never changed, kind of like a password. So the RSA thing would come up, I'd have to do my login name. Then I would have to put my four digit code and then my six digit code and type that in well, even today, RSA secure ID because everybody else only requires a six digit code.

They got rid of that four digit something, you know, requirement. and so even. the more secure forms have disappeared or smart cards, smart cards are actually a fairly secure form of MFA and, oh, it's so hard to use and expensive to maintain. And the technical support costs are terrible that they went away and what's taken over.

Are these cheaper, easier to use forms that are not nearly as.

[00:05:32] Andy Still: Yeah. And I think big push buck we're talking to customers about MFA is always just the customers won't stand for it. . We don't want to inconvenience customers. I'm guessing from some of the, weaknesses at MFA is that basically compromises have been made reduce that amount of inconvenience to make it something that's palatable to customers.

But in the meantime, you've lost on lots of the value

your.

[00:05:56] Roger Grimes: Yeah.

There's almost two schools of thought a really popular school of thought that I've seen expound by many people. Let me say. Of nations and leaders of the largest cyber security companies like Google and Microsoft heard a senior VP of Microsoft that was pushing MFA, said use any MFA, even if it's weak, MFA.

And I am absolutely diametrically opposed to that. to go from login names and passwords to MFA. It takes a whole mindset or cultural mindset. You've got to argue that you want to do it. You got to convincing your management. You got to go through procurement deployment, support operations.

And I think if you told them. You know, Hey, by the way, we're switching to something that's barely better than passwords. And we could choose options. That would be significantly better and have to go through basically the same expense and same training and same support costs.

They would always go with a significantly more secure options. And it's just kind of a sad thing that the vast majority of people, I mean, not. And let me say, not even, you know, regular people, I mean it security people.

I give a lot of seminars on hacking MFA and when I show people how easy it is to hack MFA, there's not an audience where the mouths aren't dropping Pretty much only giving these to it, security people and they're there. Oh my goodness. And not only this, but the us government has said since 2017, and again, in 2020, in 2021 in presidential executive order.

So our government has said don't use these easily fishable forms of MFA, anything, SMS based, anything tied to your telephone number, push based MFA, anything that asks you for a one-time code. I mean that literally describes 90, 95% of MFA used by people. It's a Google authenticator, Microsoft authenticator, that sort of stuff.

And the U S government's been saying for five years, don't use it. And let me say, does anyone think that any government organization is on the cutting edge of cybersecurity policy? You know, they're not.

[00:08:00] Andy Still: No, I think it's, it's fascinating that that is out there as government policy, because that is definitely not reflected the general consensus in the industry, which I think is much more around the, what you were saying before about Google and Microsoft have any MFA is better, you know?

Thinking of our internal security policies, there is mandatory MFA, on almost all our systems, but it is all kind of MFA, , systems that you're talking about today. , so I think it would be interesting , just to go into some more details about how MFA can be exploited is what kind of , techniques, can you share with us around that?

[00:08:33] Roger Grimes: Yeah. So probably the most common one that?

defeats 90, 95% of MFA out there is what's called a man in the middle attack. So I send you an email. that you think is legitimate, but it has a fishing link. So you think it's coming from Instagram, Facebook, Twitter, Microsoft, your it team or whatever, but it's a phishing email with an alternative link road link in it that you get tricked into clicking on.

And we know from phishing attacks, being the most common attacks in the world that it's not that hard to convince people to click on. Well, when you click on this rogue link, it actually takes you to a fake man in the middle of a website. And that website then directs you to the real website that you thought you were going to.

Facebook, Instagram, Google, whatever. And then, you now have this evil man in the middle of proxy website. And if you looked at your URL, You would see that it isn't really taking you to the right place, but that man in the middle website, everything you type in, , it sends to the evil website then to the real website and everything coming back from the real website.

So all your data, your content, the login screen, it's all coming back to the victim, but the man of the middle website from the evil guy is capturing it all. So eventually when you type in. Let's say your six digits, your four, six digit code. They're capturing that and they can use it, or they can just capture what's called your access control cookie token, whenever you log in successfully to a website and it's like, oh, you've been authenticated.

You get this cookie. And it's just a text based thing and they capture it and then they cut your connection and reuse your cookie and log in as you, and then they changed your password. That's one way, another way. I can pretend to be, let's say from Google technical support and I can send you a message going, Hey, there is a problem with your account or somebody else is trying to log into your account.

We're going to send you a Google authorization code and you need to type that back in response to that. So we can prove that you are who you say you are, otherwise we're going to block your accounts. And then what they do is they go into Gmail, reset your account, or they claim that they lost your password.

And Google's nice. Like, oh, how do you want through the code sent? And they can say, oh, send it to SMS. Then gets sent to that person. That person gets that code types in the response to the message, because SMS itself is you can't tell who anyone is. That sending you a message. You don't really know who those people are.

So if you respond to the code it's game over, , and those are two quick, easy methods that work against a lot of today's authentication or even the third story is push-based MFA when you get this code on your phone, I was like, are you sure you want to log in? Yes or no? Well, it turns out that a lot of people.

We'll say yes, even when they're not actively logging in, it kind of befuddles my mind, but , it's like the people that created push-based MFA didn't understand how weak us humans are and the percentage of people that will just say yes, even when they're not dozens and hundreds of times.

And so real world hackers and penetration testers often send these messages to people and they're like, oh yes. And it's funny, you ask. Did it when they were deploying? Push-based MFA not tell them, Hey, if it's not, you log in. Say no. And report this to it, or did they say that? And they just didn't hear it.

And my, my thought is probably most of the time, like you said, deploying MFA is tough. And so the, it team's like, Okay.

when you get this, what'd you do you hit? Yes. You know, they're just trying to get their employees to use the new method and maybe the under-emphasized or skipped or just thought they should be bright enough to notice a no, it's not them, but it turns

out

we're not.

[00:12:09] Andy Still: Yeah. in the, the article that you wrote other than this, I like the story of the company who, the workers were finding this too much overhead. So they'd all rerouted the, um, approval to their manager. So their manager was just automatically approving any locking attempts. Cause he didn't know if anyone was logging in, but ultimately saved them all time.

And so, like you say, it's, surprising what people will do. .

[00:12:31] Roger Grimes: Yeah. And let me say, and the MFA solutions can make small modifications that make them more secure. Like the one where the guys were, it was the oil field workers redirecting their SMS messages to them. They just told the SMS, oh, the boss's phone numbers, my phone and the boss was just approving.

Every log in was coming his way regardless, but you can make it harder. saying, oh, there's a code on the screen. You have to not only approve, but you also have to type in that little code that's on your screen. So you prove that I'm actually in front of the login screen seeing this code. So that's kind of the saddest part is there are literally, in most cases of MFA, you can make small changes and adjustments and make it far more.

So, if we're looking at MFA, we've talked about some of the weaker areas. What would you say were the best examples of MFA, the best types of MFA in terms of security?

[00:13:37] Roger Grimes: Yeah, I, you know, because I say 90, 95% of it is easily fishable and bypassable it really, when I started to think of, I need to create a list of what is good MFA. And I created an article called this is my list of good MFA or something like that and put it on LinkedIn. It was a very short list at first, but, there are lots of good examples out there.

And I would say things certainly what comes to easy to mine is phyto, uh, fast identity online. Phyto, that's uh, an Alliance and anything that is FIDO enabled is significantly harder to attack. And that's because they tie each particular website to the physical token.

And if you get a man-in-the-middle website, it just doesn't work because that man in the middle website that you're interacting with your token. Doesn't understand that man-in-the-middle website, you know, smart cards were. because again, tied to a particular device to a particular PC, anything that ties particular websites to particular devices and prevents these men in the middle attacks is a good thing.

, there are plenty of solutions out there like beyond identity, , dot com is another one where they, , essentially treat your laptop as a trusted device. And there's a public private key. And the man in the middle of website just doesn't work. again, some of the push based authentication and one-time password solutions, they will do, what's called geo identity stuff going, okay.

You're Roger Grimes. You're logging in from Tampa, Florida every day. And if all of a sudden you're logging in from China, maybe I shouldn't approve it automatically, or they do, you know, there's lots of things where they're like, okay, Roger logged in from Tampa. And an hour later it's claimed me logged in from Russia.

That's probably not possible. And we probably don't want to approve that. So on LinkedIn people go to LinkedIn, follow me. I've got some, I've got a list of a good MFA that I like. And you know, there's probably, a hundred, 200 solutions represented in what I recommend. it's probably sad. that an unfortunate thing. Not used by even probably 1% of the world yet,

[00:15:33] Andy Still: Yeah. I can see the, way that we could use these more sophisticated solutions with, certain like, internal business logins, maybe for high value relationships like banking and things like that. do you see that there will be a case in the future that MFA for wider usage, so like B to C relationships,

[00:15:55] Roger Grimes: Yeah, it's, it's, it's exploded already, at least in the states. And I think everywhere. because of a Google authenticator or a Microsoft authenticator and they're blasting the horns, it protects you a hundred percent, a hundred percent of attacks would have been blocked. you know, I read those news stories and I just want to cringe, you know, like a hundred percent of attacks are blocked by MFA and it's not even true, even in their context.

but you know, it's what gets repeated and said, and the media picks it up, but, you know, so I think MFA is exploding in use everywhere at home and, you know, probably the unfortunate. most of us now have multiple MFA. I've got one that I log into my laptop and work. I have another one I'm going to my Gmail account.

I got another, I got to use when I go to my bank. So,

not only do I have 70 passwords, I now have like 20 different MFA solutions and they're all different. That's the part that's going to be tough to solve. So we are exploding in MFA and now I got to remember passwords and innovate things. But again, what I'm hoping, the word I want to get out is that sometimes.

It's as easy for a vendor. Like if you get a YubiKey YubiKey from Yubico, is a really popular MFA option user, this USB option, you plugging in your laptop, you just touch them or whatever. The same token comes. phyto and non phyto. And all you have to do is choose phyto to get the phyto, which gives you this extra protection, but people don't know about it.

And to be honest, Fido can be more complicated to initially configure. but literally the same token. All you have to do is say, I want to enable the phyto part and set that up. And then you get that extra protection for using the same device.

[00:17:30] Andy Still: yeah, and I think there's a degree of this, about education isn't and there's a degree of this, about, investment from companies in, not just accepting simple MFA solution.

[00:17:40] Roger Grimes: Yeah.

I mean, that's the big thing is when I tell people, Hey, you're using something that can be hacked by a phishing email. They're shocked. They're shocked. And I go, Hey, and by the way, there are options out there that, that isn't true about. That changes the conversation, but the vast majority of people aren't.

So it really is a part of education. It's education. To senior management is education to the people that are pushing for MFA it's education for the purchasers of MFA it's education for the MFA vendors, like the MFA vendors themselves need to know that we need to use something that isn't as easily hackable as a password.

I mean, I think again, if you tell border directors and CEOs and CIS sows, we're going to make this multi 1,000 million dollar investor. Because all this disruption or a business and move people to this new way of logging in disrupting their lives, slowing down their productivity. And in the end, you're not really getting that much more than you had with a password.

I think a lot of people would be hesitant. And if you told them, oh, by the way, you can do the exact same stuff, exact same decision, but choose an option. That's far more secure. I think just educating them that, Hey, there are good options out there that you can use. We'll help them select those better options.

And that. The vendors that aren't offering the better protection to modify their products because they won't survive in a world. But what, right, right now, what I think is happening when people say, just use any MFA, even if it's weak, MFA is we're setting up additional organizations to now be, oh my God, I followed what they told me to do.

We still got hacked. I don't believe any of these cybersecurity people. Right. We're literally creating problems of future district. Because they're listening to us, they're moving in a certain direction. They've taken the time, the money, the resources, the disruption, and ended up in the same place. They're going to think we lied to

them.

[00:19:29] Andy Still: Yeah, I think it creates a false sense of security as well. Doesn't it? People think, oh, it's MFA. I don't need to worry about that. I don't need to worry about phishing emails in the same way, and I don't need to worry about. Being as protective around my user details. Cause it's all protective. I MFA. so , from a consumer point of view, would be the advice that you gave to us as individuals to, avoid these kinds of exploits of MFA?

Given that , we are stuck with the version of MFA that's provided by whoever works. trying to authenticate with.

[00:20:00] Roger Grimes: So, yes, I think number one, for some of these attacks is just be aware of some of the popular attacks,

right? Security awareness. number one, you have to look at your L's and every email hover over them, make sure they're going to the right place. And you have to know that multi-factor authentication provides some protection, but not all protection.

So I still have to apply normal rules and look at what I'm clicking on. If I have pushed base MFA. I need to know, do not say yes if I'm not there, that sort of stuff sometimes you have the opportunity to select what type of option you want. Try to pick a more secure option.

If you're a consumer that becomes a buyer and you're getting to choose among options, try to choose a more secure options. If you currently have an option that's possibly easily fishable. Start to ask that vendor to use offsetting defenses and mitigations to help it be less fishable. so number one for consumers is just be aware that MFA does provide some protection, but probably not as much as you think, pay attention to links that you may look on learn.

I would say I really would love it. It would be my dream. If the people that handed out MFA would say, Hey, just be aware of these, these sorts of attacks. These common attacks are used against this type of MFA. So it'd be aware of it, but that doesn't happen. You know, I go to my bank and like, oh, you have to sign up and use this type of.

They never educate me. What do I need to look out for? That might be used against me? So that would've been. My dream is that every time you're handed MFA, if you're not allowed to choose a more secure form that they educated you slightly about the sort of attacks like I get push-based MFA.

Every time I log into Gmail at No.

time did they actually spend any time? They didn't send me a 32nd video going, Hey, if it's not, you log in it. Don't say Yes.

You know, just a simple little education thing would really help prevent a

lot of

pain.

[00:21:53] Andy Still: Yeah, that makes sense. And I think it is, for anyone who's, listening in that some MFA is still better than no MFA, but just be very cautious around it. would that be your message to

consumers

[00:22:05] Roger Grimes: Um, no, so there are some forms of MFA that are actually weaker than a log-in name.

and password

[00:22:10] Andy Still: Interesting.

[00:22:11] Roger Grimes: I'm, kind of contrary to that. I'm like, Nope, Nope. You know, that's the message that a lot of people, any MFA's better than, you know, people ask me, what about SMS based MFA? Isn't that better than passwords?

No, no, it's not. It's you know, and, and not only that, but it? gives You to most people, they have the false assumption imagination assumption that it makes them significantly harder to hack. So I think?

if you have someone that has a log-in name and password, they kind of know what the attacks

are and they're kind of aware of them.

And they're trying not to hand them out. If you tell somebody , you're far less likely to be hacked because you're using this thing. I think they actually work against you. I actually talked to a,, a CIO. Of a large credit union in the us. And he said, we've been hacked successfully more our customers since we went to MFA and he said, I wish we could undo it and go back to log-in name and password.

And I think that matters more than me. I'm just some cyber talking heads saying, blah, blah, blah, blah, blah, blah. That guy's in the field. And he's saying we're having more attacks with MFA. So, I would say, not all MFA.

[00:23:15] Andy Still: that's interesting. Very interesting. and just before we wind up putting your future guests, Hi, Todd, is there a better future than MFA? What would be your kind of for authentication?

[00:23:29] Roger Grimes: Yeah. You know, I think the future is going to be more like the zero trust promise where you know, right now our model is you get authenticated and then you're allowed and you can move all around the building and do everything. But I think zero trust and behavior stuff the future of authentication is more like credit cards and that they let you buy and do stuff and you never stop.

But one day, if you're buying two TVs and another. Ah, hold on. Maybe we need to verify this. I think that's the future of authentication is that they're going to look and analyze your user behavior. Then you say, you know, if Roger comes as to his bank account every day and he checks his balance, okay, that's normal behavior.

But if all of a sudden he's transferring $10,000 to a brand new Russian. Maybe that's something we should ask for additional authorization. I think that's the future is actually probably not really MFA at all. It's probably more looking at your user behavior and asking for more authentication?

when you do something

potentially.

[00:24:23] Andy Still: Yeah, that is true. Mike, most things, it's more like what you would do in real life. You wouldn't ask them on who they were and then trust them once they told you, you would on monitoring what they were doing. And, you'd be more interested in what their actual actions than, than how they validated themselves.

So, again, , it's a journey that where we're all on together. I think the authentication journeys. One of the key things that we will see evolving in cybersecurity over the coming years, because it is a key point of weakness of most, systems.

[00:24:52] Roger Grimes: Yup. Yeah. It's, you know, it's, uh, probably the only frustrating. Is, we could do things better, uh, for everybody. And, uh, and we tend to wait until there's more blood on the ground than there needs to be. We always take every lesson the hard

way.

[00:25:07] Andy Still: Absolutely. Yeah. We tend to, have to wait till it's all gone horribly wrong. then people will invest the amount of time and money and inconvenience and change that they need to, to get to the next phase. thank you very much, Roger. I think that's been a fascinating conversation and hopefully everyone at home is not too terrified uh, to ever walk into any system again, at the end of that.

hopefully everyone has found that. Interesting. if you, any feedback, please review subscribe to our Twitter feed at cyber set pod. Questions, you can also email us at podcast at Netacea dot com. so we'll just wrap it up by saying thank you very much again, to Roger. and we will, hopefully meet you all again at the next episode of cyber security sessions.

[00:25:49] Roger Grimes: Great. Thanks everyone.