How Adaptive MFA Helps Mitigate Brute Force Attacks
Before public cloud services, large-scale computing infrastructure was expensive, hosted on-premises, and reserved for big enterprises, governments, and universities. Now, anyone with a credit card can access an unlimited supply of cloud apps and computing power.
While cloud computing offers many benefits, its accessibility has also made identity attacks targeting passwords much more popular. The frequency of these attacks has increased sharply over the last few years. As more services move online and the value of data grows, identity attacks will become even more popular.
How are hackers targeting passwords?
Hackers have a variety of techniques at their disposal. Exploiting vulnerabilities in software or deceiving users through social engineering are two common tactics, but brute-force attacks are gaining ground through the use of automated bots. A recent report from Akamai indicates that “more than 40% of global login attempts are malicious, thanks to bot-driven credential stuffing attacks”. This increases the likelihood of attacks affecting your organisation.
Two types of brute force attacks that target passwords have recently gained ground:
Credential stuffing: This attack takes advantage of users sharing credentials across multiple accounts. Most people have had account credentials compromised as part of a data breach. Attackers acquire credentials from a website breach and use bots to enter these credentials into a variety of sites in the hope that they will grant access.
Password spraying: This attack takes advantage of our tendency to rely on common passwords such as “password1” (which, according to the password checking site HaveIBeenPwned, has appeared in a data breach over 2.3 million times). Attackers use a dictionary of commonly-used passwords across many different accounts, which helps avoid detection.
Once attackers encounter a successful login, they either harvest sensitive data or execute the next stage of their breach.
How can Okta mitigate identity attacks?
Given the popularity of these attacks, knowing how to prevent them has become more important. Although there’s no silver bullet to block brute-force attacks, here are two approaches that can help:
Account lockouts
A common approach involves locking users out of accounts after several incorrect password attempts. While this approach is useful, it still relies on password authentication, only slightly reducing the likelihood of account compromise. Hackers could also use this feature to affect your service availability by locking out legitimate users.
Multi-factor authentication (MFA)
Multi-factor authentication offers a better way to secure the login process. By requiring users to submit more than one authentication factor before gaining access, it mitigates the inherent risks of using a single password and is an effective defence against automated attacks.
These authentication factors typically fall into one of three categories: knowledge, possession, and inherence.
Knowledge. A knowledge factor relies on something you know. Passwords are the most obvious example, but personal identification numbers (PINs) and answers to security questions also count. Knowledge factors must be remembered, giving them the same weaknesses as passwords. People deliberately use PINs that are easily remembered and share them across multiple accounts.
Knowledge factors are also often found in the public domain. You can easily use social media or public records to discover answers to typical security questions such as a person’s first school or mother’s maiden name.
Possession. This factor is something you must physically carry during the login process. It is an effective defence against automated password attacks because an intruder would need the physical device for access. The banking industry has combined knowledge and possession factors for years in the form of PINs and ATM cards. Other possession factors include U2F tokens, One-Time PIN (OTP) codes, and push notification technologies like the Okta Verify app.
While possession factors do improve authentication security, they can also be lost or stolen. In that case, an attacker could compromise the user’s account and lock them out.
Inherence. An inherence factor uses traits that are unique to each individual. Biometric identifiers, like fingerprints, retina scans, and facial recognition fall under this category. Requiring users to submit this unique information during the login process offers an effective defence against brute-force attacks.
Like knowledge factors, inherence has a potential downside because biometric information can be found in the public domain. We leave our fingerprints on every surface that we touch, and our faces are in images on social media. While it would take a much more determined hacker to gather this information and use it to impersonate a user during authentication, biometric factors are still not absolutely bulletproof.
It’s vital to consider which MFA verification factors are right for your organisation when you use MFA. Each has its own pros and cons. Security is critical, but there are other issues to bear in mind. These include the impact of a verification method on the user experience, and the overhead involved in managing it. Some verification technologies are easier to apply than others and offer a better user experience, but do not provide the same level of security as complex MFA deployments.
For example, it is easier to manage a password or PIN-based solution than it is to issue each user with a hardware token. Simple PIN entry is also more convenient for users than carrying a physical device with them. On the other hand, a knowledge-based factor alone does not offer the same level of assurance as a possession factor.
There are other issues to consider too, such as the accessibility of the technology involved. For example, using certain devices or smartphone apps to deploy MFA may not always be feasible in every scenario. Smartphones are less available in some regions than others, and they would not be a practical authentication device for users in every market.
Adaptive multi-factor authentication (AMFA)
In some instances, you may only want to implement MFA when you need a higher level of assurance. Understanding the context of the user, device, and network can help organisations apply the right level of authentication for the risk involved. A bank may allow customers to access applications with a single password but ask for OTP submissions to approve money transfers. Organisations may let employees log in using passwords on the company network while requiring a hardware token to sign in from an unverified location.
Adaptive multi-factor authentication applies this context to help organisations defend against brute-force attacks without compromising usability. AMFA extends the login process with additional security controls beyond just password validat