Why Multi-Factor Authentication (MFA) Is Not Enough

What happens when the technology you rely on to prevent breaches ends up being breached?

By

One of the scariest things about supply-chain attacks is how little control you have. Even if you’ve done everything right, security-wise, you have no good way of knowing that every single one of your trusted vendors has—as countless Cisco Duo customers recently learned.

In early April, Cisco Duo’s security team disclosed an attack on their telephony provider, which resulted in hackers stealing customer VoIP and SMS logs used in multifactor authentication (MFA) messages.

Such attacks aren’t new: Last year, the U.S. FBI warned that threat actors were increasingly leveraging SMS phishing and voice calls in social engineering attacks on corporate networks. But they’re becoming more frequent, due to being a highly successful avenue of attack. They can, however, be stopped—with a little help from SonicWall’s Cloud Secure Edge, formerly Banyan Security.

MFA: May Fail Alone

Before we look at how Cloud Secure Edge can enhance MFA and prevent this type of attack, it’s helpful to understand how we got here. The earliest form of user security, consisting of a username and password, wasn’t very secure at all: Many people retained the manufacturers’ default credentials, some kept their login info on a Post-It stuck to their monitor, while many others chose a password and used it for everything from their corporate email to their child’s school portal to the website selling socks with their pet’s face on them.

MFA and one-time passwords corrected a lot of the resulting issues, but they weren’t fail-proof, either. What’s more, identity systems such as Microsoft Active Directory or token-based systems from RSA, Google Authenticator and others used to sit behind a firewall and VPN, but have now evolved into SaaS solutions.

As incredible as it may seem—particularly since so many sites and apps still use basic username and password logins—the days of using an authentication strategy built on something you have, something you know and an inherence factor are likely behind us. MFA phishing attacks are now the norm, and standard Identity and Access Management (IAM) practices are no longer sufficient to protect access and authorization to mission-critical resources. MFA can be better.

How Cloud Secure Edge Enhances MFA

So if MFA alone is no longer enough, what is? Simply stated, factoring user and device identity and trust into the equation could have prevented the attacks.

SonicWall’s Cloud Secure Edge integrates with solutions from leading MFA vendors. These offerings can be configured to use certificate-based authentication, also known as “cert-auth.” These intelligent certificates tie the device to the user: Without them, no access will even be considered. Once the user is identified, the device identity and posture assessment process is completed, and a TrustScore (which quantifies the level of trust to attribute to accessing principals) is generated. User identity, including MFA, or device identity and trust alone are never enough to get access.

To summarize, before any access is granted, the following must be true:

  • Cloud Secure Edge must trust the specific MFA vendor
  • Cloud Secure Edge must deploy the Cloud Secure Edge app to a very specific end-user device
  • Cloud Secure Edge must authenticate the user and ensure that they can enroll their specific end-user device
  • Cloud Secure Edge must generate an intelligent certificate for that specific user and specific device
  • Cloud Secure Edge must check the identity and authorization level of the user
  • Cloud Secure Edge must, in a timely matter, validate a component of the user identity with the MFA vendor
  • Cloud Secure Edge must check the identity and authorization level of the device
  • Cloud Secure Edge must check the posture level of the device
  • Cloud Secure Edge must check the configured risk tolerance of the resource

This is a secure, defense-in-depth, multi-step process — if any step is skipped, no access is granted! Luckily for end users, most of this magic happens behind the scenes, so they aren’t jumping through hoops just to get secure access.

But what if an attacker has credentials and has phished MFA? Can they enroll a new device and gain access? With SonicWall’s Cloud Secure Edge, new device enrollment can be blocked by rotating invite codes, or the process can be completely disabled by leveraging Unified Endpoint Management (UEM) to push out the Cloud Secure Edge app along with the intelligent certificate.

Cloud Secure Edge’s granular ZTNA policies also ensure that applications can only be accessed by devices with a known and specific identity and posture. Unknown or unauthorized devices are banned from even attempting enrollment and access.

No one knows when the next supply-chain attack will occur—but with the right tools in place, you can know you’ll be ready when it does. SonicWall’s Cloud Secure Edge technology is a flexible, cloud-native and easy-to-use solution designed to fill in the gaps left by MFA-based security. To find out how Cloud Secure Edge can be quickly deployed to provide device-centric threat protection to your network, book a demo here.

SonicWall Staff