Beyond MFA: Why Multi-factor Alone Is Not a Fail-Safe for Identity Protection


Posted on in Podcasts

Most organizations have moved beyond the insecure username and password access control a long time ago and started using multifactor authentication. But as Yahoo, Deloitte, and LinkedIn know, MFA won’t always save the company from a data breach. Not only has MFA access been defeated multiple times by attackers, but users hate it. It’s cumbersome, annoying, increasingly exploitable. In this podcast Violet Sullivan and Jessica Smith will discuss the evolution of MFA, why and how it can be exploited, and what organizations can and should do to address access control in a way that keeps their data security and users happy.

Podcast Transcript

Introduction:
You're listening to the RSA Conference Podcast by the World Talk Security.


Kacy Zurkus:
Hello, listeners, and welcome to this edition of our RSAC 365 Podcast series. Thanks so much for tuning in. I'm your host, Kacy Zurkus, Content Strategist with RSA Conference. And today, I am joined by Violet Sullivan and Jessica Smith who will be discussing what's beyond MFA. Before we get started, I want to remind our listeners that here at RSAC, we host podcasts twice a month and I encourage you to subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now, I'd like to ask Violet and Jessica to take a moment to introduce themselves before we dive into today's topic. Violet, let's start with you.


Violet Sullivan:
Thank you, Kacy. My name is Violet Sullivan. I am a Cybersecurity and Privacy Attorney, but one that does not work on the legal side and has actually tried to push more and more towards the cybersecurity technical side. So I currently work and lead a forensics team working on incident response, a lot of preventative work to risk assessments, pen testing with a team and connecting them with the insurance partners, the legal partners, all of those pieces. But I also teach this which is more what I like to do in these podcasts is be that more neutral party coming at this from an academic perspective. I teach cybersecurity and privacy law for the LLM program at Baylor Law School. Sorry for long-winded, Jessica, your turn.


Jessica Smith:
Thanks, Violet, and thank you, Kacy, for having us today to chat about MFA. So I got into the privacy space in 2013 and I joined AllClear ID through a Craigslist ad, which is funny looking back on it now. But back then, it felt really like the wild, wild west of breach response and security and privacy, it was a new concept for a lot of different companies. And that's where I met Violet and Violet and I got to work together for a few years at AllClear which was great. So I worked at AllClear until 2019, the business grew and we were acquired, the breach response business was acquired by Experian. So I went over to Experian, worked there for about three years helping companies prepare for and respond to data breaches and managed a team that worked on data breach response implementation, planning, and then another team that also worked on call center setup and that public face of the response, that's what we worked on managing for our clients.
And then in May of this year, I decided to go back to AllClear ID, which is now AllClear ID Health. And we are focused on healthcare identity and using your identity in the healthcare space. So it's been an interesting evolution career-wise for me but also in this space. And in 2020, just because I was learning so much and I really fell in love with it, I earned my masters in cybersecurity. So that's where I am tonight.


Kacy Zurkus:
Wow, what an evolution. I love that. Yeah, that's so fun. And I just want to welcome you both. I appreciate you both being here so much and I'm excited, this month we're diving into a variety of topics on all things identity. So I'm excited to have you both here. And I want to start with asking each of you to maybe share your thoughts on some of the recent challenges we've seen with MFA and MFA fatigue. Jessica, why don't you start?


Jessica Smith:
Sure. So I think users and consumers will notice that over the past few years, they have been asked to do some extra things when they're logging into their bank accounts, or logging into their email accounts, or even social media where they're asked to confirm their identity not just through their username and password, but through a text or through a biometric. So multifactor authentication is using another means of authentication to gain access to a system. It's being used so much and enterprises probably adopted it first, right? And then it started being pushed out to consumers. And it's being used so much that you really hear a lot of people complaining about it. I can't tell you how many times I've gone to login to have to do something really quickly for work and then I have to authenticate and it just takes extra time if you don't have your phone with you or another means.
So we've been hearing a lot and I'm interested to learn what Violet's heard from her clients, but there does seem to be a lot of, "Fatigue," that users and consumers and employees are seeing where they're just, "Ugh, got to follow this next step, got to absentmindedly click approve." And through that process, I think what we're seeing is hackers are starting to take advantage of that fatigue.


Violet Sullivan:
Completely agree. In fact, one of the things I loved about Jessica's evolution in explaining her background was that I think we probably learned about multifactor at the same time period because the CEO of the company we worked for so many years ago when we all first started in cyber, that was a passion and it's so cool to see it evolve and I love also translating it. So I also want to say we were introduced by it, the example that was always used before MFA was so prevalent was the example of checking in a hotel room. And I feel like that's always a good translator piece to start with when it comes to explaining multifactor and also the fatigue associated is when you check in a hotel room, you always present your ID, you always present your credit card. That's what Bo Holland and, our CEO, always used to say and that was that passion that led him towards now healthcare ID and privacy.
But the threats that we're seeing, to confirm where Jessica was going, is the exploitation of certain employees specifically to get their access and get past MFA so that they can get them to go ahead and be annoyed enough to bypass. So one of the biggest techniques I've seen is either exploiting overworked professions, surgeons, lawyers, CPAs, or odd hours. I've seen a chat log of threat actors leaked that talked about trying to call the hell out of that number at one o'clock until they just push the MFA button and let you in. And so there's a lot of different techniques, but I feel like it goes back to the human element of in the same way that all of our cybersecurity training is trying to get us to be more skeptical and understand how important the authentication piece is, the hackers are doing in the reverse trying to say how can we play on the human error issue and get them to get past the multifactor?
And I think one more thing I'm going to add about the threats there, there's a ton of case studies to go into and we can talk about I think Twitter's the most famous recently with their hack and the exploitation of multifactor authentication from their employees that led to the account takeovers of Trump and other big figures with the blue check marks by their name. But the thing that I always like to reference, in a video I'll usually throw on, there's a huge thick book, a thousand pages that's called Hacking Multifactor Authentication that you can buy on Amazon for 29.99. And I think that itself shows that this is something that we thought was a cure. And even especially the insurance companies, they thought, "Oh, man, there's so many claims that can be reduced if we just make everyone use MFA on especially domain accounts, but also all accounts." And so they started making it mandatory and when something comes mandatory from your insurance, it's not as easy to explain why and get people to actually think about it because once it's mandatory, they think it's automatic.


Kacy Zurkus:
It's so interesting too because I feel like I was having a conversation with my husband this morning just about energy, right? And we were all using oil and then there were all these incentives to switch to gas and now there are all these incentives to switch to electrical. And it made me think that at what time there was the password and user credentials were considered sufficient security measures, right? And now, we're evolving in these strategies, then the buzz became about the need for multifactor authentication. Yet, we're finding that MFA doesn't always protect a company from a data breach. So can you talk about this evolution of authentication methods and where you see things trending toward? Jessica, let's start with you.


Jessica Smith:
Many organizations that we talked about, they were using username, password, right? So we saw that, like you said, Kacy, the evolution to MFA. So slowly but surely we saw that move. So many organizations started using multifactor authentication and now, we're starting to see some more streamlining of MFA which is supposed to help, right? So single sign-on is an example where you enter in your credentials one time and then you're able to log in and access all of the applications on a network. So we're starting to see that move. That's definitely helping address some of the fatigue, although work is just one area where MFA is widely used. I mean you log into your bank account and you're likely asked to verify you are who you say you are. So I think we're going to start to see organizations move to more of a passwordless authentication. I think we'll eventually evolve there.
And I'm sure Violet tells her clients this all the time, I mean there's just no one silver bullet to stop all of the hacks. I mean the hackers will always evolve with the technology. So it's just about having the extra layers of security present in the network, not only at FinTech companies, but also employers need to think about how they would roll this out in the most user friendly way possible.


Violet Sullivan:
And I think the only thing I would add to that is the complexity of the evolution has been almost even still trailing behind the creativity of the threat actors. And I think what we don't realize is even the cybersecurity increase in awareness and budget that we've had even in the last five years has just grown so much that this is realized to be an important part of the budget. But you still have hackers that their true focus is everyday getting in. And there's lots of groups out there. Things have changed and been volatile since the Ukraine and Russia war. But the example I always use to why even single sign-on, or like Jessica mentioned, the passwordless focus moving forward is still going to have to be diligent on the other side of cyber, or that holistic cybersecurity.
The example I use is blockchain and crypto hacks because when you realize that to hack into some type of blockchain technology, you need eight different entry points and authentication at each point and there's still been hacks in that area and you start researching those, you realize the extent people will go to gain authentication, and it almost makes you think like the Ocean's Eleven mentality of this world is they're going to have and think about all of the different entry points until they can get in, especially if the data inside is valuable to them.


Kacy Zurkus:
Yeah. And that determination is really monetary or political or whatever it is that motivates them, they're highly motivated, right? And so to your point, I've definitely heard it said by many that identity forms the foundation of zero trust security, yet identity oddly remains this siloed effort that is sometimes still disjointed from the security organization. So how can companies better address access control in a more holistic way?


Violet Sullivan:
Oh, man, I feel like this question is perfect for Jessica. So I'll start in first and tee it up for her, because when I think access control, again, I like to play the translator a lot because I came into cyber security not through a Craigslist ad like Jessica, but through the legal side trying to figure out what in the world is this tech world about? And I love the translation for access control to say you only need access to do what you need to do your job, right? At the very base level, it's about giving and making sure that you understand who has access. So that's why we only have a limited number of domain controllers, that's why we have a limited admin because we don't want everyone to be able to make changes that impact the whole organization no matter what industry you're in. So in the same way, segregation is important. And so beyond a zero trust, I think that you bringing up access controls is very logical and helpful in this conversation because I do think we're disjointed in terms of identity and security issues.
And I think that there's this missing piece of awareness as to the gravity of what it means to have access. At the base level, any human access into technology, people don't realize, and myself included, I don't think you realize the gravity of it. And I'll give an example is sometimes in finance and institutions and just logging into banks, there are certain times when I have given my husband, here is the password for this. But if someone is socially aware enough, and I hope this isn't coming through the podcast because now I'm going to be on alert and aware, but if someone is really, really good at social engineering and gains enough trust, that's what they're trying to exploit is that even the most securely aware people can still be tricked.


Jessica Smith:
Yeah. Violet, I really like your Oceans Eleven analogy. I'm going to have to steal that. But it's true. If someone is determined enough to figure out how to exploit authentication methods, they can do it and if it's eight steps into the network, they'll continue to try. And Kacy, to your point, is it disjointed? I think there's definitely work that organizations can do to focus on better access control but also authenticating identity in a way that they can track it throughout the network. So I'm working and I'm using some of the applications that I typically use, but what if I try to do something else in my network? Does someone get notified about that? Can that be tracked within the network? And there are a lot of companies that are starting to move and build more intelligent authentication methods. And it is a form of access control in terms of watching what users in your network are doing and looking at what they're typically accessing.
So I do think they can continue to work to unsilo the identity efforts and focus on a way to work together and use new technologies. So this identity-based authentication, we've moved beyond that and MFA, while it's not the silver bullet, it's still pretty good, but they can continue to use that and make their systems more secure.


Violet Sullivan:
I'm actually curious because Jessica, you're more on the identity section. Has there been proven just a basic MFA that is preferred? So I've seen the ones that actually push out the number to the phone or the apps like Duo or Okta. Is there something in the security community that said this is a better form of basic MFA if you can't have that next level?


Jessica Smith:
Yeah, I mean I think biometrics are probably always better. Of course, you can always use those actual physical security keys, but using a biometric that is inherent to the device that you're using, so piggybacking on the Android or Apple biometrics in the device I think is helpful and probably more secure than just a password, a six-digit passcode when you're logging in.


Violet Sullivan:
I have heard that too, but I actually didn't hear the word authentication around the biometrics. So it's connecting the dots for me. But I also would just say as the lawyer is to asterisk consent needed on the biometric data because that's another area of risk that's coming out with the BIPA lawsuits and a lot of the Google Pixel, all these issues over using that data and then reselling it to data brokers. So yes, good authentication method, bad data broker data without consent passing.


Kacy Zurkus:
And therein lies the problem with security, right? Because there are so many ripples to potential solves for this opens up risk in that area that you would never even think of, right? It's like, "Oh, okay, now we need to worry about the legal ramifications of implementing such a strategy." Violet, Jessica, thank you so much for joining us today. Before we wrap up, I would love it if each of you could maybe share some parting words of wisdom with our listeners. Violet, let's start with you.


Violet Sullivan:
Well as I was alluding to earlier, even if you have the next level of what would be the best form of authenticating a user for multifactor authentication or single sign-on or passwordless entry, you're still going to have to go beyond the MFA. You have to go to understanding the visibility of where your devices are, the location, the security on those devices, if encryption is enabled and transit are at rest, the device health, making sure everything is patched. So it's really way more about the overall holistic structure of cyber security that you have. It's not just a check the box. It's not where firewalls were 10 years ago where you thought, "Okay, firewalls are okay, that's our fortress, that's our security." MFA is not your fortress in security.
It is a very good practice. It's something that we would tell users just in your every day to have on any account that is sensitive in any way, shape, or form that could buy things, sell things, or transfer money back and forth, or pretend to be you and have an impact on your reputation. So users should definitely have this, but companies need to go way beyond this.


Jessica Smith:
Yeah. Violet, I would agree. If you are leading a security in an organization and you haven't moved to some stronger authentication like MFA, like single sign-on, you need to get on it. Your organization is potentially at risk. And if you're a consumer, like Violet mentioned, you should put MFA on all of your accounts that are important to you, even accounts where you may not be buying or selling like your LinkedIn account, anything that's linked to your identity that you value, make sure that you have authentication or MFA on that account. And then lastly, just one last parting word of wisdom for folks who lead security in an organization, don't forget your end users, right? You're only as strong as your users. And so continue to educate the employees to keep them informed of potential misuse of credentials or MFA. The better educated that they are, the more they can be on alert.


Violet Sullivan:
Can I add one more thing? Because that made me think about the big thing we talk about what qualifies as an incident. And we always say confidentiality, integrity, availability, right? We were scared of confidentiality first with data breaches, then we were scared about availability with the ransomware attacks hitting our operations and Colonial Pipeline and JBS. But this is about integrity, which is so interesting because when you lose integrity, you don't know what was done with intent. You don't know if it was negligence, if it was a bad guy, if it was an insider threat, you lose the ability to be able to figure out what happened or what was changed. And it's not just about numbers changing on a balance sheet, it's about truly, like Jessica said, having someone pretend to be you and taking your identity away. And that integrity issue within the definition of an incident is what the multifactor authentication issue is about.


Kacy Zurkus:
I love that. I so appreciate that addition and really making those distinctions because integrity matters for sure. It was so lovely having both of you here with me today. Thank you so much. Listeners, thank you for tuning in. To find products and solutions related to identity, access control, authentication, we invite you to visit rsaconference.com/marketplace. Here, you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels. I know Violet is very active on LinkedIn, so you can follow her there. You can use the #RSAC and be sure to visit rsaconference.com for new content posted year round.

 


Participants
Jessica Smith

Vice President of Client Services, AllClear ID Health

Violet Sullivan

AVP, Head of Cyber Services, Crum & Forster

Identity

access control authentication biometrics compliance management data security identity management & governance password management passwordless


Share With Your Community