How to Make Multi-Factor Authentication Even More Secure
Multi-factor authentication is one of the best ways to thwart bad actors using stolen credentials — but it’s not foolproof. Here’s how bad actors are circumventing MFA protection, and 11 ways Duo can help you strengthen your security posture beyond standard MFA.
Year after year, the Verizon Data Breach Report highlights the fact that compromised credentials contribute to the majority of breaches — and MFA remains the strongest mechanism to deter the use of stolen passwords. However, while implementing MFA decreases the risk of account compromise by 99.9%, there will always be bad actors looking to break through even the most robust defenses.
For example, recently there has been news regarding MFA phishing kits. These kits can take advantage of reverse proxies, acting as a “man in the middle” to snag an end user’s valid access token. The prevalence of such kits is unknown, but the risk is worth taking seriously.
First, let’s dissect the structure of using these kits. Keep in mind the strategy here is just an adaptation of existing attack vectors, which focus on end user manipulation. The attacker is sending a user through a proxy and retrieving credentials and/or session tokens by manipulating the end user into thinking they are authenticating into a legitimate resource or application. These attacks are not necessarily new, but hacking tools/scripts and scripts are constantly evolving and have made it easier for attackers to execute them.
At Duo, we think about addressing these attacks in a few ways, both in and outside of our own MFA platform.
Key Controls and Features You Should Consider
Implement Domain Security Features
First and foremost, utilize Duo’s Allowed Hostnames feature to mitigate abuse of the Traditional Duo Prompt. This function disallows non-verified servers, like those popularized by tools such as Modlishka, EvilGinx2, and Muraenathe, from displaying the Duo prompt.
Where possible, upgrade to the new Universal Prompt. The Universal Prompt provides a "frameless" experience (with OpenID Connect under the hood) that no longer renders the Duo Prompt inside an iframe.This circumvents the need to rely on an allowed hostnames list to provide security against domain name redirect and spoofing-type exploits.
Promote or Require Stronger Form Factors
Where possible, restrict the Duo authentication methods policy rule to only use Duo Push, TouchID and/or Security Keys (WebAuthn/U2F) either per application or at the global policy level. This helps minimize the attack surface vulnerabilities of one-time passcode (OTP) factors like SMS, hardware tokens and Duo Mobile OTP.
OTPs can be phished like primary credentials and used to access 2FA protected applications. It’s crucial to assess the potential of removing or limiting this functionality with policy controls to avoid the manipulation of this authentication method if a user becomes successfully phished.
Step up to Verified Push, a more secure Duo push method. Duo’s Verified Push requires users to enter a code from the access device into the Duo mobile app. This prevents a user from absent-mindedly accepting a fraudulent push attempt or accepting a push request in order to stop a push harassment attack.
Strongly consider testing WebAuthn Security Keys functionality. You can restrict specific applications by policy in Duo to only allow WebAuthn, which prevents less-secure authentication methods from being used. WebAuthn is available on browsers including Chrome, Safari, Firefox and Opera, and newer versions of Chromium-based Edge.
Finally, consider using the new Duo Passwordless authentication functionality. Passwordless removes the password from the authentication and relies on asymmetric keys to verify the user. The feature is still in public preview, but well worth testing where applicable.
Implement Strong Device Trust
Placing tighter controls around the status of devices accessing resources also decreases the attack surface.
Duo’s Trusted Endpoints functionality enables organizations to identify and detect the management status of an access device, then set policy around that status.
In this way, organizations can limit or block access from unmanaged or unknown devices.
Leverage Risk Detection Functionality
Duo Trust Monitor sorts through an organization’s historical authentication logs and creates a baseline of normal behavior for workforce access. The tool then surfaces suspicious authentication events for review. Trust Monitor provides deep explanatory context for each security event, not just a “risk score,” so administrators get up to speed and can remediate risk quickly.
In cases where an attacker is attempting to phish users, Duo Trust Monitor should see anomalous components of the access. For example, the feature can highlight both unfamiliar locations or device attributes, but also attack patterns like brute force and physically impossible location data.
In cases where organizations have a security information and event management (SIEM) tool, Duo always recommends feeding Trust Monitor data into it. By nature, SIEMs have powerful querying, filtering and alerting capabilities that customers can build to quickly alert admins and security teams of suspicious login activity.
Provide awareness training to end users and test preparedness with simulated phishing attacks that mirror documented vulnerabilities/attack vectors. As phishing emails grow more sophisticated, these efforts can make a big difference in prevention.
Update and Refresh Email Security Tools
Ensure all email phishing protection schemes are considered to prevent known attack methods including strong DNS record DMARC validation, dynamic anti-phishing filtering, DNS whitelisting, country blocking, & various other content & prevention controls.
With all of these controls in place, organizations can bolster their standard defenses against attackers specifically targeting multi-factor authentication. And while attackers may never slow down, neither do we. At Duo, our roadmap includes feature functionality specifically targeted to maintain comprehensive access security.
Duo Roadmap Investments
Passwordless Authentication: Duo’s Passwordless feature is in Public Preview and we plan to continue investment in this new method of authentication. We’re eager to say goodbye to passwords, and we’re excited to help organizations do away with password-based authentication for good.
Risk-Based Authentication: Duo is investing in incorporating new signals and controls at the point of authentication to ensure that the most risk-appropriate experience is invoked, from block or traditional 2FA, to a passwordless requirement.
Cisco Secure Integrations: Cisco has a broad security portfolio, and we’re looking to make the most of it in new and innovative ways. While we’ve already delivered an integration with Cisco Secure Endpoint, our ties into other offerings will only increase in the coming months.
If you’re curious about a specific case or you’d like to talk with us about secure access strategy, we encourage you to contact us.
Try Duo for Free
Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.