MFA is Better Than Passwords… Right?

Andy Still 0:00
Welcome, welcome. Welcome back to the cybersecurity sessions. Our regular podcast talking about all things cybersecurity, with myself, Andy Still, CTO and co-founder of Netacea, the world's first fully agentless bot management product. This time, we're discussing some of the challenges around authentication of users. Speaking personally, my day job is building tooling that, among other things, will protect systems from automated attacks to compromise accounts, I can personally validate that up to 95% of logins on some systems are malicious attacks. And one of the solutions that's often held out as the magic bullet to solve this problem is multi factor authentication - MFA. We've probably all experienced MFA in some form, whether it's getting an email or a text message to validate a login, or one of the other more complex solutions that are out there. And there are a whole full range of different solutions, some more secure than others. To explain more about the differ

Andy Still 0:00
Welcome, welcome. Welcome back to the cybersecurity sessions. Our regular podcast talking about all things cybersecurity, with myself, Andy Still, CTO and co-founder of Netacea, the world's first fully agentless bot management product. This time, we're discussing some of the challenges around authentication of users. Speaking personally, my day job is building tooling that, among other things, will protect systems from automated attacks to compromise accounts, I can personally validate that up to 95% of logins on some systems are malicious attacks. And one of the solutions that's often held out as the magic bullet to solve this problem is multi factor authentication - MFA. We've probably all experienced MFA in some form, whether it's getting an email or a text message to validate a login, or one of the other more complex solutions that are out there. And there are a whole full range of different solutions, some more secure than others. To explain more about the different approaches, we're joined today by Roger Grimes, who literally wrote the book on security weaknesses in MFA. Welcome Roger, great pleasure to talk to you today. Before we start doing a quickly introduce yourself, for our listeners.

Roger Grimes 1:04
Sure, I've been doing computer security for 34 years, earned all of these grey hairs, I've written 13 books, probably 1200 magazine articles, and I think, probably 50 to 100 articles on multi factor authentication. And I did write a book called Hacking multi factor authentication. I'm not sure if I'm a world expert, but I probably have pretty good insight into the good and the bad and the ugly of MFA.

Andy Still 1:27
I think you certainly know more than well than a lot of people out there. I think MFA is often kind of held up as a silver bullet solution to protecting online credentials. Do you want to give some background how MFA has ended up having that air of ultimate trust?

Roger Grimes 1:42
You know, I think ultimately, it's logical to think that, well, if I have to provide one form of authentication, which traditionally would be a login name and a password, so if I have to provide one type of secret, my password, to prove that I'm attached to this identity account, that if you asked me to provide multiple different types, you know, the something you are, something you know, something you have type thing, that it seems inherently logical that it's harder for an attacker to compromise two or more factors than it is one factor. I mean, so theoretically, it is harder for that. And so I think it's made sense to us for decades to go, "Hey, we need to get people off of just using a password and go to something more secure called MFA." But I think the theory is this one thing. And what I noted was in practice, it's not quite doing this. Well, you know, and in some cases, it's far weaker than most people think, that's kind of a problem is that everybody that uses MFA, if I was to interview them, they "Oh, yeah. I think this protects me a lot more. I've been told this stops me from being as easily phished." And the reality is that for 90, 95% of it, I can bypass it as easy as if it was a password. So for the vast majority of us, it really isn't as secure as most people think. But they think it is. Yeah. And so that itself presents a problem.

Andy Still 3:04
Yeah, I think that ended up with people thinking I've got MFA, I don't need to worry about it. And do you think part of the issue is that MFA is not one thing? Is it? There's plenty of variations of it. And I think it's the second factor of authentication. Is it the case that that's kind of been watered down over the years to being from, something you physically had, you know, used to have those kinds of separate tokens and things like that to be in a lot more loose? And is that kind of where the weaknesses have started to come with MFA?

Roger Grimes 3:33
Yeah, I mean, I think that's part of it, that it's watered down. But sadly, most of it is kind of coalesced, the most popular stuff that people are using are using the weaker stuff. Because we're humans. And even when we move to something more difficult, we want to move the least more difficult thing. And so interesting enough, 20-30 years ago, there were MFA solutions like smartcards and RSA SecurID and stuff were actually more secure than most of the stuff we're seeing today. Even RSA SecurID 30 years ago. So the RSA secure ID might have been one of the more common forms people saw, you this little device, and it has this six digit, one time password, they call it that you type. Well, early on when I used that decades ago, before I typed in that digit, I would have to type in a four-digit code that was static and never changed like a password. So the RSA thing would come up, I'd have to do my login name, then I would have to put my four digit code and then my six digit code and type that in. Well, even today, RSA secure ID because everybody else only requires a six-digit code, they got rid of that four digit something, you know requirement. And so even the more secure forms have disappeared, or smart cards, smart cards are actually a fairly secure form of MFA. And "oh, it's so hard to use an expensive to maintain and technical support costs are terrible" that they went away. And what's taken over are these cheaper, easier to use forms that are not nearly as secure.

Andy Still 5:01
Yeah. And I think that the big pushback when we're talking to customers about MFA is always just our customers won't stand for it. "We don't want to inconvenience customers." I'm guessing from some of the weaknesses MFA is that basically, compromises have been made to, to reduce that amount of inconvenience to make it something that's palatable to customers. But in the meantime, you've lost a lot of the value you're getting from MFA.

Roger Grimes 5:26
Yeah, there's almost two schools of thought, a really popular school of thought that I've seen espoused by many people, let me say leaders of nations, and leaders of the largest cybersecurity companies like Google and Microsoft, I heard a senior VP of Microsoft that was pushing MFA said use any MFA, even if it's weak MFA. And I am absolutely diametrically opposed to that. Because to go from login names and passwords to MFA, it takes a whole mindset, a cultural mindset, you've got to argue that you want to do it, you got to convince senior management, you've got to go through a procurement, deployment, support, operations. And I think if you told them, you know, "hey, by the way, we're switching to something that's barely better than passwords. And we could choose options that would be significantly better, and have to go through basically the same expense and same training, the same support costs," they would always go with the significantly more secure options. And it's just kind of a sad thing that the vast majority of people, I mean, not, and let me say, not even, you know, regular people, I mean, IT security people, I give a lot of seminars on hacking MFA. And when I show people how easy it is to hack MFA, there's not an audience where the mouths aren't dropped. And I'm pretty much only giving these to IT security people, and they're there. "Oh, my goodness." And not only this, but the US government has said since 2017, and again, and 2020 and 2021, a presidential executive order. So our government has said don't use these easily phishable forms of MFA, anything SMS based, anything tied to your telephone number, push based MFA, anything that asked you for a one time code. I mean, that literally describes 90, 95% of MFA used by people. It's Google Authenticator, Microsoft Authenticator, that sort of stuff. And the US government's been saying for five years, don't use it. And let me say, does anyone think that any government organization is on the cutting edge of cybersecurity policy? You know, they're not!

Andy Still 7:29
No, no, I think it's fascinating that that is out there as government policy, because that is definitely not reflected in the general consensus in the industry, which I think is much more around the what you were saying before about Google and Microsoft have any MFA is better, you know, thinking of our internal security policies, there is mandatory MFA on almost all our systems, but it is all the kind of MFA systems that you're talking about today. So I think it would be interesting just to go into some more details about how MFA can be exploited, what kind of techniques can you share with those around that?

Roger Grimes 8:04
Yeah, so probably the most common one that defeats 90, 95% of MFA out there is what's called a man in the middle attack. So I send you an email that you think is legitimate, but it has a phishing link. So you think it's coming from Instagram, Facebook, Twitter, Microsoft, your IT team, or whatever. But it's a phishing email with an alternative link, rogue link in it, that you get tricked into clicking on and we know from phishing attacks being the most common attacks in the world, that it's not that hard to convince people to click on a link. When you click on this rogue link, it actually takes you to a fake man in the middle of website. And that website then directs you to the real website that you thought you're going to Facebook, Instagram, Google, whatever. And then you now have this evil man in the middle proxy website. And if you looked at your URL, you would see that it isn't really taking you to the right place. But that man in the middle website, everything you type in, it sends to the evil website, then to the real website, and everything coming back from the real website. So all your data, your content, the login screen, it's all coming back to the victim. But the man in the middle website from the evil guy is capturing it all. So eventually, when you type in your, let's say, your six digits, your four, six-digit code, they're capturing that and they can use it or they can just capture what's called your access control cookie token, whenever you log in successfully to a website, and it's like, oh, you've been authenticated, you get this cookie. And it's just a text-based thing. And they capture it. And then they cut your connection and reuse your cookie and login as you and then they change your password. That's one way. Another way is I can pretend to be, let's say from Google technical support, and I can send you a message going, "hey, there is a problem with your account or somebody else is trying to log into your account. We're gonna send you a Google authorization code and you need to type that back and response to us so we can prove that you are who say you or otherwise we're gonna block your accounts." And then what they do is they go into Gmail, reset your account, or they claim that they lost your password. And Google's nice like, "oh, how do you want through the code sent," and they can say, "oh, send it to SMS," then gets sent to that person, that person gets that code types in response to the message, because SMS itself is you can't tell who anyone is that sending you a message, you don't really know who those people are. So if you respond to the code, it's game over. And those are two quick, easy methods that work against a lot of today's authentication, or even, the third story's push-based MFA. When you get this code and your phone's like, "Are you sure you want to log in? Yes or no?" Well, it turns out that a lot of people will say yes, even when they're not actively logging in, it kind of befuddles my mind. But it's like the people that created push-based MFA didn't understand how weak us humans are. And the percentage of people that will just say yes, even when they're not, dozens and hundreds of times. And so real-world hackers and penetration testers often send these messages to people and they're like, "Oh, yes." And it's funny you ask yourself, did IT when they are deploying push base MFA not tell them, "Hey, if it's not you logging in, say no, and report this to it?" Or did they say that and they just didn't hear it? I thought it's probably most of the time, like you said, deploying MFA is tough. And so the IT team's like, "okay, when you get this, what would you do?" You hit yes. You know, they're just trying to get their employees to use the new method, and maybe the under emphasized or skipped, or just thought they should be bright enough to know to say, you know, it's not them. But turns out, we're not.

Andy Still 11:39
Yeah, in the article that you wrote in there. So like the story of the company who, the workers were finding this too much overhead, so they'd all rerouted the approval to their manager. So their manager was just automatically approving any login attempts, because he didn't know if anyone was logging in, but ultimately it saved them all time. Didn't so like you say, it's surprising what people will do.

Roger Grimes 12:01
Yeah, let me say in the MFA solutions can make small modifications that make them more secure, like the one where the guys were, it was the oilfield workers redirecting their SMS messages to them. They just told the SMS, oh, the boss's phone number's my phone. And the boss was just approving every login was coming his way regardless. But you can make it harder by saying, oh, there's a code on the screen, you have to not only approve, but you also have to type in that little code that's on your screen. So you prove that I'm actually in front of the login screen, seeing this code. So that's kind of the saddest part is they're literally, most cases of MFA, you can make small changes and adjustments and make it far more secure.

Andy Still 12:41
Okay, so if we're looking at MFA, we've talked about some of the weaker areas, what would you say with the best examples of MFA, the best types of MFA in terms of security?

Roger Grimes 12:51
Yeah, you know, because I say 90 95% of it is easily fishable and bypassable. It really, when I started to think of, I need to create a list of what is good MFA and I created an article called this is my list of good MFA or something like that and put it on LinkedIn. It was a very short list at first, but there are lots of good examples out there. And I would say things certainly what comes to easy to mind is FIDO, fast identity online, FIDO, that's an alliance, and anything that is FIDO enabled is significantly harder to attack. And that's because they tie each particular website to the physical token. And if you get a man and little website, it just doesn't work. Because that man in the middle website that you're interacting with your token doesn't understand that man and middle website, you know, smart cards work because again, tied to a particular device to a particular PC, anything that ties particular websites to particular devices and prevents these man in the middle attacks is a good thing. There are plenty of solutions out there like beyondidentity.com is another one where they essentially treat your laptop as a trusted device. And there's a public private key. And the man in the middle website just doesn't work. Again, some of the push-based authentication and one time password solutions, they will do what's called geo identity stuff going okay, you're Roger Grimes, you're logging in from Tampa, Florida every day. And if all of a sudden, you're logging in from China, maybe I shouldn't approve it automatically. Or they do you know, there's lots of things where like, okay, Roger logged in from Tampa, and an hour later, it's claimed me logged in from Russia, that's probably not possible. And we probably don't want to approve that. So on LinkedIn, people go to LinkedIn, follow me, I've got some got a list of good MFA that I like, and you know, there's probably 100, 200 solutions represented in what I recommend. It's probably sad that, and unfortunate that it's not used by even probably 1% of the world yet. That's the sad part.

Andy Still 14:48
Yeah, I can see the way that we could use these more sophisticated solutions with, certainly like internal business logins, maybe for high value relationships, like banking. And things like that. Do you see that there will be a case in the future that MFA for wider usage? So, B2C relationships?

Roger Grimes 15:09
Yeah, it's, it's, it's exploded already, at least in the States. And I think everywhere because of Google Authenticator, Microsoft Authenticator, and they're blasting the horns, "it protects you a hundred percent, 100% of attacks would have been blocked,” you know, I read those news stories, I just want to cringe, you know, like 100% of attacks are blocked by MFA. And it's not even true even in their context. But you know, it's what gets repeated and said, the media picks it up. But you know, so I think MFA is exploding in use everywhere at home. And you know, probably the unfortunate thing, too, is most of us now have multiple MFA, I've got one that I log into my laptop and work, I have another when I'm going to my Gmail account, I got another I got to use when I go to my bank. So not only do I have 70 passwords, I now have like 20 different MFA solutions, and they're all different. That's the part that's gonna be tough to solve. So we are exploding in MFA. And now I got to remember passwords and MFA things. But again, what I'm hoping, the word I want to get out is that sometimes, it's as easy for a vendor like, if you get a YubiKey, YubiKey from Yubico is a really popular MFA option, use it as a USB option, you plug in your laptop, you just touch them, or whatever, the same token comes as FIDO and non-FIDO. And all you have to do is choose FIDO to get the FIDO, which gives you this extra protection. But people don't know about it. And to be honest, FIDO can be more complicated to initially configure, but literally the same token, all you have to do is say I want to enable the FIDO part and set that up. And then you get that extra protection for using the same device.

Andy Still 16:44
Yeah, and I think there's a degree of this about education isn't... there's a degree of this about investment from companies in not just accepting the simple MFA solution?

Roger Grimes 16:54
Yeah, I mean, that's the big thing is when I tell people, "Hey, you're using something that can be hacked by a phishing email," they're shocked. They're shocked, then I go, "Hey, and by the way, there are options out there that that isn't true about," that changes the conversation, but the vast majority of people aren't. So it really is a part of education, it's education to senior management, it's education to the people that are pushing for MFA. It's education for the purchasers of MFA. It's education for the MFA vendors. Like, the MFA vendors themselves need to know that we need to use something that isn't is easily hackable as a password. I mean, I think, again, if you tell board of directors and CEOs and CSOs, we're going to make this multi-10, 100-million-dollar investment, cause all this disruption on our business and move people that this new way of logging in and disrupting their lives slowing down their productivity. And in the end, you're not really getting that much more than you had with a password. I think a lot of people would be hesitant. And if you told them, oh, by the way, you can do the exact same stuff, exact same decision, but choose an option that's far more secure. I think just educating them that, hey, there are good options out there that you can use, we'll help them select those better options. And that will force the vendors that aren't offering the better protection to modify their products, because they won't survive in a world. But right now what I think's happening when people say just use any MFA, even if it's weak MFA is we're setting up additional organizations to now be, "Oh, my God, I followed what they told me to do. We still got hacked. I don't believe any of these cybersecurity people," right? We're literally creating problems of future distrust, because they're listening to us. They're moving in a certain direction, they've taken the time, the money, the resources, the disruption, and ended up in the same place, they're gonna think we lied to them.

Andy Still 18:43
Yeah, I think it creates a false sense of security as well, doesn't it? People think, Oh, it's MFA, I don't need to worry about that. I don't need to worry about phishing emails in the same way. And I don't need to worry about being as protective around my user details, because it's all protected by MFA. So from a consumer point of view, what would be the advice that you gave to us as individuals to avoid these kinds of exploits of MFA, given that we are stuck with the version of MFA that's provided by whoever we're trying to authenticate with?

Roger Grimes 19:14
So yes, I think number one, for some of these attacks, is just be aware of some of the popular attacks, right security awareness training. Number one, you have to look at URLs in every email, hover over them, make sure they're going to the right place. And you have to know that multi factor authentication provides some protection but not all protection. So I still have to apply normal rules and look at what I'm clicking on. If I have pushed based MFA, I need to know to not say yes, if I'm not there, that sort of stuff. Sometimes you have the opportunity to select what type of option you won't try to pick a more secure option. If you're a consumer that becomes a buyer and you're getting to choose among options, try to choose a more secure option. If you currently have an option that's possibly easily phishable, start to ask that vendor to use offsetting defenses and mitigations to help it be less phishable. So number one for consumers is just be aware that MFA does provide some protection, but probably not as much as you think. Pay attention to links that you may look on. Learn, I would say, I really would love it, it would be my dream if the people that handed out MFA would say, "hey, just be aware of these sorts of attacks, these common attacks are used against this type of MFA, so be aware of it." But that doesn't happen. You know, I go to my bank, and like, "Oh, you have to sign up and use this type of MFA," they never educate me, what do I need to look out for that might be used against me. So that would have been my dream is that every time you're handed MFA, if you're not allowed to choose a more secure form, that they educated you slightly about the sort of attacks, like, I get pushed based MFA every time I log into Gmail. At no time did they actually spend any time, they didn't send me a 30-second video going, "Hey, if it's not you logging in, don't say yes." Just a simple little education thing would really help prevent a lot of pain.

Andy Still 21:07
Yeah, that makes sense. And I think it is true for anyone who's listening in that some MFA is still better than no MFA but, just be very cautious around it, would be your message to consumers?

Roger Grimes 21:19
No. So there are some forms of MFA that are actually weaker than a login name and password.

Andy Still 21:24
Interesting.

Roger Grimes 21:25
I'm kind of contrary to that. I'm like, nope, nope. You know, that's the message that a lot of people, "any MFA is better than..." you know, people ask me, "What about SMS based MFA? Isn't that better than passwords?" No, no, it's not. It's, you know, and not only that, but it gives you to most people, they have the false imagination, assumption that it makes them significantly harder to hack. So I think that if you have someone who has a login name and password, they kind of know what the attacks are. And they're kind of aware of them. And they're trying not to hand them out. If you tell somebody, you're far less likely to be hacked, because you're using this thing. I think they actually work against you. I actually talked to a CIO of a large credit union in the US. And he said, we've been hacked successfully, more customers, since we went to MFA. And he said, I wish we could undo it and go back to login name and password. And I think that matters more than me... I'm just some cyber talking head, saying blah blah blah blah blah, that guy's in the field. And he's saying we're having more attacks with MFA. So I would say not all MFA is better.

Andy Still 22:29
That's interesting. Very interesting. And just before we wind up, putting your future gazing hat on, is there a better future than MFA? What would be your kind of ideal for authentication?

Roger Grimes 22:43
Yeah, you know, I think the future is going to be more like the zero trust promise where you know, right now our model is you get authenticated. And then you're allowed and can move all around the building, do everything. But I think zero trust and behavior stuff, the future of authentication is more like credit cards, and that they let you buy and do stuff and you never stop. But one day, if you're buying two TVs, in another country, like "Oh, hold on, maybe we need to verify this," I think that's the future of authentication is that they're gonna look and analyze your user behavior. They say, you know, if Roger comes into his bank account every day, he checks his balance. Okay, that's normal behavior. But if all of a sudden he's transferring $10,000 to a brand new Russian bank, maybe that's something we should ask for additional authorization on. I think that's the, the future is actually probably not really MFA at all, it's probably more looking at your user behavior, and asking for more authentication when you do something potentially dangerous.

Andy Still 23:37
Yeah, that is very true. Like most things, it's more like what you would do in real life. You wouldn't ask them on who they were, and then trust them, once they told you, you would carry on monitoring what they were doing. And you'd be more interested in what their actual actions than how they validated themselves. So again, it's a journey that we're all on together. I think the authentication journeys, one of the key things that we will see evolving in cybersecurity over the coming years, because it is a key point of weakness of most systems.

Roger Grimes 24:06
Yep, yep. And you know, it's probably the only frustrating part is we could do things better for everybody. And we tend to wait till there's more blood on the ground and there needs to be we always take every lesson the hard way.

Andy Still 24:21
Absolutely, we tend to have to wait till it's all gone horribly wrong. And then people will invest the amount of time and money and inconvenience and change that they need to get to the next phase. Thank you very much, Roger. I think that's been a fascinating conversation. Hopefully, everyone at home is not too terrified to ever walk into any system again at the end of that. Hopefully everyone has found that that interesting. If you have any feedback, please review, subscribe to our Twitter feed @cybersecpod. If you've got any questions, you can also email us at podcast@netacea.com. So we'll just round up by saying thank you very much again to Roger and we will hopefully meet you all again at the next episode of the Cybersecurity Sessions.

Roger Grimes 25:04
Great, thanks everyone.