I’m currently in San Francisco attending Oktane 2019 where multi-factor authentication (“MFA”) is understandably a hot topic. During yesterday’s Partner Summit and today’s Opening Keynote, something occurred to me. How secure is a mobile device as a mechanism for MFA?
Before we try to answer that question, let’s first have a quick recap of MFA and its components. MFA is based on granting access after two or more pieces of evidence are presented. This can be:
knowledge (something the user and only the user knows)
possession (something the user and only the user has)
inherence (something the user and only the user is)
A good non-IT example is an ATM transaction. You can withdraw money only after you provide “possession” (the ATM card) and “knowledge” (the PIN code).
In the business world, MFA is leveraged because we want to secure our most critical and sensitive information. As of 2019, the vast majority of MFA devices are mobile phones. So, what is my issue with the phone being used as “possession”?
In the past, mobile phones rarely had passcodes but as more capabilities started being added to the device, security started to become an important topic.
Enter the PIN
This process includes a 4 (or more) digit number that needs to be entered every time you want to access the device. While this is relatively secure, people unlock their phone multiple times a day and it caused “too much friction”.
This was designed to make it easier to unlock the device while still providing a layer of security. Fingerprints or facial recognition are the two most commonly used methods today, and they also have the most issues.
Still skeptical? Let’s look at something that isn’t farfetched using a real-life example…
One of my colleagues posted an article on Slack earlier this month called “Vengeful sacked IT bod destroyed ex-employer's AWS cloud“ and it tells the story of Voova employees, Steffan Needham and Andy “Speedy” Gonzalez. Needham was being right-sized for “below-par performance” and decided that destroying his employer’s Amazon Web Services instances by using Speedy’s login credentials would be a great parting gift. Notably, the article also states that “MFA could potentially have prevented the attacks altogether”.
Now, let’s start to speculate…
Needlam already knows Speedy’s username and password (as stated in the article). Let’s assume that Voova’s IT department mandated policies that ensures Speedy’s phone is “secured” with a PIN, fingerprint, and/or facial recognition and also enforces MFA for administrative access into their AWS environment.
Let’s further assume that Needlam and Speedy are friendly enough that he takes him for drinks after his sacking and Speedy becomes incapacitated in the process. Needlam can now take Speedy’s credentials, attempt to access AWS, and then hold Speedy’s mobile phone to his face or finger to gain access to the token required for MFA.
Needlam is now in the system regardless of the fact that MFA is enabled and configured properly.
If you think this is unrealistic, give it a try. Take your phone and hold it up to your face with your eye’s closed to unlock it. There is no prerequisite of being awake or of sound mind for this to work.
So, what can we do about this? We could force the PIN code back on the device as a way of authenticating access to the phone, however the genie is now out of the bottle and people will revolt. Requiring a PIN code every time you want to open your phone is now seen as too manual. Another solution could be prepending a PIN code during the MFA process such as with hardware tokens. Personally, I believe the solution is not so much rethinking access into the application but monitoring and mitigating risky behavior inside the application.
Dave Bryant is the VP of Technology at McGlaun Consulting