You Must Choose Your Authentication Strategy Carefully
Updated: Dec 3, 2019
Exactly a month ago I wrote a blog post about why I believed the Microsoft Authenticator could be bypassed in a relatively easy manner. Yesterday, a blog post released by Microsoft mentioned that one of their customers was breached, pretty much using the same technique I described:
"A few days ago, our team helped someone who had been a target of account takeover (ATO). Despite protecting the account with mandatory two-step verification using SMS and the Authenticator app, attackers had broken into the account and changed the password. MFA had failed."
Funny enough, when I released my blog post about this simple manual exploit I got a few angry reactions from Microsoft experts saying that what I describe was not really possible. "You got this all wrong!" a Microsoft Enterprise Mobile MVP commented on my LinkedIn post. I did not. I've been building information security products and dealing with fraudsters and cybercriminals for over 25 years now. I can see how solutions can be bypassed.
Microsoft used their recent blog post about the attack to explain how all authentication methods are vulnerable and to glorify Windows Hello as "the solution." Make no mistake - Windows Hello can be bypassed through its weakest links as well. Authentication is a process that involves many edge cases and sub-processes. It's not really a binary operation.
When it comes to getting rid of passwords, the only real solution is continuous and adaptive risk-based authentication. Without it you'll find yourself switching between authentication technologies that attackers learn how to bypass relatively quickly. Microsoft fails to acknowledge that. In my previous blog post I criticized the Microsoft Authenticator solution for not picking up pretty obvious and simple risk indicators that would had prevented my tests. I bet this is exactly what happened with this attack - there were plenty of risk indicators that could have been detected to prevent the attack, and instead they were ignored.
When it comes to authentication, adaptive risk and identity orchestration, there is no point in relying on half-baked solutions - unless you're on a very tight budget.