With the Internet Archive experiencing its second breach in just a few weeks, it highlights the urgency of certain critical topics not being discussed enough. The first major question to address is, after an initial breach has occurred, what should we do to prevent a second breach? The questions often asked are what and how authentication tokens are stolen and how we can prevent it from happening to us.
Authentication Tokens
Authentication tokens are part of Multi-Factor Authentication (MFA). They are generally cookies that allow you to log in without needing to authenticate at each logging. The lifecycle of these tokens is generally between 14 and 30 days. However, authentication tokens are vulnerable to theft.
How Are Tokens Stolen?
As MFA usage has become more mainstream, threat actors have evolved in their tactics and methods. These actors discovered that if they could secure a copy of the authentication token, they could bypass MFA while that token remained valid.
It all starts with a phishing email and a malicious link for the user to click on. Once clicked, the fake link directs the user to a proxy website, redirecting them to a legitimate login page such as portal.office.com.
As the user enters their credentials to authenticate the MFA token, the user will be sent to verify the login. This is where the proxy website hiding in the middle will see the token and take a copy of it.
From here, the threat actor can gain access to the account to undertake various activities that often go unnoticed. This is because many think enabling MFA makes it impossible for threat actors to log in. However, this is not always the case.
How do we stop it from happening?
As threat actors evolve to compromise older security controls, so, too, should the security recommendations evolve. MFA authentication methods such as SMS, phone calls, and emails are no longer recommended and should be removed as an available option for users. However, stolen tokens affect the current industry-recommended options such as authenticator apps (Microsoft Authenticator, DUO, Google Authenticator, etc.). The answer to token theft is Phishing-resistant authentication.
Phishing resistant Authentication
Phishing-resistant authentication is a small number of options that leverage physical hardware as part of its authentication. The MFA token authentication will fail without the physical hardware, and the hardware cannot be faked. At present, several options exist in this space, including the following:
- FIDO2
- A physical USB-type key, such as a Yubikey.
- Passkey
- This is a managed mobile device setup that acts as a hardware key.
- Windows Hello
- It’s similar to a passkey but machine-based.
Each solution has pros, cons, and potential costs; thus, it is important to understand what options are best for you and your business.
At Netier, security is our core and our passion. Security starts with a conversation, not a checklist. As threats evolve, we regularly audit and improve security controls to meet them, ensuring that our clients remain secure today and into the future.
When did your security provider last check that your controls could meet the current threat landscape?
Netier can help keep your business safe
Discover how phishing-resistant authentication can keep your business safe. Visit our Cyber Security page, and let’s strengthen your defences together.
Author
Derek Ingram
