Why Multi-Factor Authentication (MFA) Is Not Enough
What happens when the technology you rely on to prevent breaches ends up being breached?
One of the scariest things about supply-chain attacks is how little control you have. Even if you’ve done everything right, security-wise, you have no good way of knowing that every single one of your trusted vendors has—as countless Cisco Duo customers recently learned.
In early April, Cisco Duo’s security team disclosed an attack on their telephony provider, which resulted in hackers stealing customer VoIP and SMS logs used in multifactor authentication (MFA) messages.
Such attacks aren’t new: Last year, the U.S. FBI warned that threat actors were increasingly leveraging SMS phishing and voice calls in social engineering attacks on corporate networks. But they’re becoming more frequent, due to being a highly successful avenue of attack. They can, however, be stopped—with a little help from SonicWall’s recent acquisition, Banyan Security.
MFA: May Fail Alone
Before we look at how Banyan can enhance MFA and prevent this type of attack, it’s helpful to understand how we got here. The earliest form of user security, consisting of a username and password, wasn’t very secure at all: Many people retained the manufacturers’ default credentials, some kept their login info on a Post-It stuck to their monitor, while many others chose a password and used it for everything from their corporate email to their child’s school portal to the website selling socks with their pet’s face on them.
MFA and one-time passwords corrected a lot of the resulting issues, but they weren’t fail-proof, either. What’s more, identity systems such as Microsoft Active Directory or token-based systems from RSA, Google Authenticator and others used to sit behind a firewall and VPN, but have now evolved into SaaS solutions.
As incredible as it may seem—particularly since so many sites and apps still use basic username and password logins—the days of using an authentication strategy built on something you have, something you know and an inherence factor are likely behind us. MFA phishing attacks are now the norm, and standard Identity and Access Management (IAM) practices are no longer sufficient to protect access and authorization to mission-critical resources. MFA can be better.
How Cloud Secure Edge enhances MFA
So if MFA alone is no longer enough, what is? Simply stated, factoring user and device identity and trust into the equation could have prevented the attacks.
Banyan’s ZTNA solution integrates with solutions from leading MFA vendors. These offerings can be configured to use certificate-based authentication, also known as “cert-auth.” These intelligent certificates tie the device to the user: Without them, no access will even be considered. Once the user is identified, the device identity and posture assessment process is completed, and a TrustScore (which quantifies the level of trust to attribute to accessing principals) is generated. User identity, including MFA, or device identity and trust alone are never enough to get access.
To summarize, before any access is granted, the following must be true:
- Banyan must trust the specific MFA vendor
- Banyan must deploy the Banyan app to a very specific end-user device
- Banyan must authenticate the user and ensure that they can enroll their specific end-user device
- Banyan must generate an intelligent certificate for that specific user and specific device
- Banyan must check the identity and authorization level of the user
- Banyan must, in a timely matter, validate a component of the user identity with the MFA vendor
- Banyan must check the identity and authorization level of the device
- Banyan must check the posture level of the device
- Banyan must check the configured risk tolerance of the resource
This is a secure, defense-in-depth, multi-step process — if any step is skipped, no access is granted! Luckily for end users, most of this magic happens behind the scenes, so they aren’t jumping through hoops just to get secure access.
But what if an attacker has credentials and has phished MFA? Can they enroll a new device and gain access? With Banyan’s ZTNA solution, new device enrollment can be blocked by rotating invite codes, or the process can be completely disabled by leveraging Unified Endpoint Management (UEM) to push out the Banyan app along with the intelligent certificate.
Banyan’s granular ZTNA policies also ensure that applications can only be accessed by devices with a known and specific identity and posture. Unknown or unauthorized devices are banned from even attempting enrollment and access.
No one knows when the next supply-chain attack will occur—but with the right tools in place, you can know you’ll be ready when it does. SonicWall’s Banyan technology is a flexible, cloud-native and easy-to-use solution designed to fill in the gaps left by MFA-based security. To find out how Banyan can be quickly deployed to provide device-centric threat protection to your network, book a demo here.
