The Deeper Conceit of MFA

(This blog post is an add-on to a series published by Jeff Nathan . I recommend reading his sage words in The Conceit of Weak Authentication.) 

Multi-Factor Authentication (MFA) means to strengthen user authentication by adding another element beyond simple username/password (credential) pairs. Does it succeed? As Jeff Nathan points out via his series (part 1, part 2, part 3, and part 4) – and with many concrete examples of its mishaps and failings – in many cases it does not.

But do attackers really worry about MFA when they can simply bypass it altogether?

In many cases, they do not. Bad actors are easily bypassing MFA with stolen “authentication cookies” (referring to both tokens and session cookies here and throughout this blog) via an attack known as session hijacking.

Authentication cookies (sometimes referred to as tokens or session cookies) solve a specific problem for web applications and mobile apps. They turn the statelessness of HTTP requests into a stateful session, allowing you to avoid having to log in every time you access services. Authentication cookies pave the way to interactive websites, long running sessions, and a better user experience. Ever wonder why you don’t have to specify your password every time you load your favorite streaming application on your TV? That’s where authentication cookies show their transformative value! 

There are many technical reasons why this form of authentication exists. In fact, forms of “send data to prove you are associated with an earlier authentication event” are very common among computer systems. This implementation is not bad in itself. But miscreants have found a way to sidestep MFA by stealing these authentication cookies, and they are doing so routinely.

Through “infostealer” malware, cybercriminals are stealing these authentication cookies right out of users’ browsers. Not only these cookies, but all manner of saved formed data and rich context data is exfiltrated as well. Often these malware types leave no trace behind. Two such examples are “dissolvable malware” that executes then deletes itself and “memory-only” malware that executes without ever being written to disk.

MFA is a useful tool against stolen credentials as it does improve a user’s cyber defenses. But stealing authentication cookies is the equivalent of sidestepping authentication entirely. When malicious actors use authentication cookies, they don’t need passwords and they don’t need your MFA verification request on your phone. They present the authentication cookies to online services, which act as their access badge, and sidestep the login process altogether. In some cases, the actors use browsers that perfectly mirror how your computer “looks” to service providers. This means the actors can “be you” to your online services and accounts.

For users, the most practical protection against this form of attack is a  “Defense in Depth” approach. To put it simply, “Defense in Depth” means to incorporate all the common advice (CISA Shield’s Up campaign provides a good basis of common advice) for securing your identity, devices, and online accounts. The pessimist in me tends to think Defense in Depth is synonymous with doing everything right and hoping for the best!

For enterprises, website owners, and app developers, the best defense is to plan ahead. When setting session time limits, consider the impact of stolen authentication cookies. Pick the correct balance for your application to protect users while still delivering the user experience appropriate for your platform. Attackers may be able to use stolen authentication cookies within any narrow time windows you may set, but your goal should be to make it harder on them.

Enterprises should also update their Cyber Incident Response playbooks to incorporate Post-Infection Remediation steps to augment their response to malware infections. If you are a service provider, talk to SpyCloud about our solutions that monitor the criminal underground for exposed stolen authentication cookies and account credentials. SpyCloud gives you the context the miscreants have about your users, enabling you to take action to protect your users and your infrastructure. 

Staying safe online takes constant effort. With each new defense the good guys build, malicious actors follow up with new attacks. SpyCloud is your ally in staying current with the ways malicious actors are exploiting modern weaknesses.