KuppingCole has written previously on the benefits of adaptive authentication and authorization, and the need for authentication challenges that go beyond the password. These benefits fall largely under the categories of an improved user experience, since the user only gets challenged for multiple authentication challenges based on risk and context, as well as improved security precisely due to the use of multi-factor, multi-channel authentication challenges.
However, these multi-factor authentication challenges only offer additional security if the multiple challenges used for these authentication challenges are sufficiently separated. Some examples of common approaches to multi-factor authentication include the use of one-time passwords sent via an SMS message, or smartphone applications which function as soft tokens for time-limited passwords. These are generally a good idea, and do offer additional security benefits. But, if the application that depends on multi-factor authentication as an additional security measure is itself a mobile application then the lack of separation between the channels used for multi-factor authentication vitiates the possible security benefits of MFA.
Security researchers have recently proven how both a compromised Android or iOS smartphone can be manipulated by attackers in order to enable them to capture the additional step-up authentication password from the smartphone itself. This is one of the outstanding challenges of anywhere computing. Another attack that that is immune to the additional security provided by multi-factor authentication is the man-in-the-browser-attack MITB. With this type of attack, a malicious actor gains control of a user’s browser via a browser exploit. The user then logs into, for example, online banking, and successfully completes all necessary, multi-factor authentication challenges perform a high risk action such as performing an electronic fund transfer, the hijacked browser can be used by the attacker to substitute form data the the user is imputing. In this example the sum could be redirected to a strangers bank account.
With the MITB attack, the user is seen by the accessed service as fully authenticated, but since the browser itself has been compromised, any action the user could have done legitimately can also appear to have been done by the attacker.
With a user’s smartphone already receiving emails and being used for browsing, the additional use of smartphones for multi-factor authentication must be carefully considered. Otherwise, it only provides the illusion of security. These attacks do not make adaptive, multi-factor authentication useless, but they do show that there is no single mitigation approach that allows an organization to ignore the ever-evolving cybersecurity threat landscape.
Tactical security approaches here include careful selection and separation of authentication channels when MFA is used, as well as the use of additional web service and browser scripting protection approaches which have been developed to mitigate MITB attacks.
Yet the strategic solution remains an approach that is not solely focused on prevention. With the digital transformation well underway, it is difficult to employee endpoints, and almost impossible to control consumer endpoints. A strategic, holistic security approach should focus on prevention, detection and response, an approach known as Real-Time Security Intelligence. It should focus on the data governance, regardless of the location of the information asset, an approach known as Information Rights Management.
Unknown and sophisticated attack vectors will persist, and balancing security and user experience does remain a challenge, but the RTSI approach recognizes this and does not ever assume that a system or approach can be 100% immune to vulnerabilities.