Multi-Fail Authentication: You might be doing MFA Wrong

Posted by Ryan Preston on February 11, 2019 Link 

Bill

How hackers are getting a foothold in Spring2019!

You've probably seen one or two of those 'Top X ways I Hacked You' lists by now. You've read that it's easy enough to guess a weak password given a list of accounts pilfered from the internetz. So, what does everyone suggest? 2FA or Multi-Factor FTW! This is great, and drastically reduces the chances of some far-off ne'er-do-well from getting into your network. However, I've seen multiple cases where the implementation didn't go as well as hoped. Without further ado, your 'Top 4 Ways You Might Have Poorly Implemented Multifactor'

1. !(Forced) Enrollment  


You went out and found a MFA solution you liked. You started up a new project to get it on everything. You sold the CEO on the new product and that the company is now safe from hackers guessing passwords. Then I come along and walk right through. Arg! Now the boss is mad, you've 'wasted' a bunch of time and effort on something that didn't work. What happened? Sure enough, you sent that email out and told everyone they could now turn on Multi-Factor for their accounts and come to find out the account I took over didn't decide to set it up. Yep, turns out you can't just lead a horse to water, you have to force it down with a hose.
Make sure to Force-Enroll your people. You might best do this with a bit of a grace period sure, but at the end of the month, everyone must be enrolled, or it doesn't work. Bonus points if you already have everyone's cell numbers in your Active Directory to pre-setup the MFA with the correct phone numbers.


2. Full Enrollment

Ok, same story, though this time you did choose force enrollment. Next time every one of those 'users' logs in to the Citrix or VPN they will be forced to enroll. That should stop those pesky hackers. Ah-Hah! I say to you. I broke right in, again. Another report, another Spring2019! walking through the door. Well now what happened?

Meet Karen. Karen is a part-timer that works the weekends and doesn't really have to do too much on a computer for her work. Everything is on her workstation and she doesn't need to take her work home with her. Karen doesn't even know there is a Citrix or VPN portal that could be used. She's never logged in. Mr. awsmhacks comes along and guesses her clever CompanyName2019 password and is brought to the MFA enrollment page. He gets himself all signed up on his phone. Now if Karen ever does hit the VPN, awsmhacks only has to accept that login request on his phone. Karen never even finds out she was hacked.

Make sure only the people that NEED access to the endpoints have them. Turning on multifactor, even enforcing it, doesn't help if the hackers get there first.

3. Push Notifications


Dawggummit, that awsmhacks has rekt us again. We've turned on multi-factor, forced enrollment, even removed access to the people that don't need it or didn't access it in the first week. Hold on, Outlook is asking for my password again, I swear since that win10 update in October I have to authenticate 20 times a day just to get any work done. Hacker's love these little annoyances users just get used to. Inevitably, if you use push notifications, the ones that just prompt for a 'yes/no', someone is going to just say yes if they get spammed. I'm not saying it happens 100% of the time (even though they say 100% of the statistics you read online are false) but it does happen.

I prefer using pin codes instead. While you or I might get one of those notifications out of the blue and instantly start cancelling credit cards, deleting pics off iCloud, and get in contact with a PR firm, the average user just doesn't think that way. They might say no a few times but if it just keeps popping up they will eventually click yes to make it stop.

Push notifications can be a way better user experience to be sure, just make sure the proper training has been conducted. Users should be aware if they get a notification that it means they have been hacked. They need to report it to security and promptly change their password. If you really don't trust the users just make them type in the code.

4.-gotten Endpoints

Finally, lets not forget when you multi-factor, multi-factor everything. You think that Citrix endpoint only provides access to apps? Wrong, there's apx. 3.14159 million ways to escape applications down to the citrix host (you might even be providing remote desktop already). Only have OWA exposed? Check out a lil tool called Ruler, and if you're patched for the RCE you still wouldnt want company email accounts used in phishing or the new hotness, whaling. Sharepoint certainly couldn't be exploited right? Wrong again, besides worrying about the recent RCE's, consider what sort of data you have stored on said Sharepoint site, or FTP server, or anything really. Anywhere you have data, hackers gonna hack.

 

Multi-Factor Authentication Works

Sure, there are going to be bypasses and MFA doesnt solve every problem. You also probably aren't being targeted by nation-states with the ability to hack phone towers and steal MFA codes. The bypasses will get fixed and more and more MFA support is expanding. Simply put, multi-factor authentication is a must have on externally facing endpoints. Just make sure you don't 'think' you are protected and find out the hard way it wasn't turned on. From what I've seen one solution isn't any better than the others aside from minor conveniences so just get something that works for you. Follow deployment to a T and you can at least rest a little bit easier at night knowing Karen's account isn't VPN'd in from Russia.

Questions? Comments? Want me to test your perimeter? Contact me - ryan@depthsecurity.com or send me feedback @awsmhacks

Now if we could just get people to stop trying to access that million bucks Bill Gates is giving away….

Have Questions?
Get Answers