Root Causes 249: What Is MFA Exhaustion?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  This is a follow up to our recent episode about the Uber breach. Our Episode 247 and as a reminder for the listeners, this was a multi-stage breach. Part of which involved defeating somebody’s one-time password MFA. I think it was a one-time password through a relay site. That led you and me to think that it might be worthwhile building on this story and talking about the concept and the consequences of MFA fatigue.

• 

  Jason Soroko

  Thanks, Tim. Just for those of you who heard that previous podcast or we talked about the Uber breach, you might notice the fact that technical journalists focused on the MFA fatigue and you and I, Tim, we focused on basically the chain of attack that actually occurred and we referred to the problem of the social engineering, the initial ingress of the stealing of the credential. So, there’s really kind of a fundamental difference in how you want to report on something. My choice, your choice, Tim, was to break out the MFA fatigue into its own podcast and there’s a reason for that. It’s because I didn’t want to associate it only with the Uber story that was really big at the time. This affects all MFA and that’s the truth. This is the real point I want to make in its own podcast.

  So, think about how many systems you have, Tim, where you are using some form of one-time passcode that’s generated by goodness knows what. It could be an app on your desktop. It could be an app on our mobile device and you are asked to type in or copy/paste, whatever it is, that one-time passcode. Right on. There’s so many one-time passcode form factors that are out there and they are basically all vulnerable to this because the one-time passcode generation is essentially whenever you are dealing with a system that has some kind of a push notification to say, hey, you are trying to log into this, please respond with the one-time passcode or please respond with basically the confirmation of the log in. And any type of system that does anything like that is going to be vulnerable because if the bad guy does get a hold of your username and password – we’ve talked endlessly about the different ways that can happen – basically that bad guy can then brute force to log in as you. In order, of course, to complete the authentication, they need you to complete the MFA challenge, which could be the entry of a one-time passcode. It could be basically clicking on a button that says, yes, this is me. Please log in. And we are now seeing more and more examples of bad guys just deciding I’m going to bombard the victim with logging in until they finally click whatever they need to click to let me in as the attacker. That’s why we call it MFA fatigue and it’s not because the system in malfunctioning; it’s not because the attacker has broken anything. The attacker does need to at least be able to get to the point where they prompt you which typically means they need to have achieved the goal of stealing the credential of your username and password, which is only one-half of what they need. The second half of what they need is to have you simply click on the button that has the proper privileges that completes the authentication. I think any of us, Tim, could be vulnerable to that. This is the reason why I wanted to call it out on its own podcast is just to let everybody know.

  If you start seeing a surprising prompt. Hey, I didn’t try to log into this. Well, would I question this every single time. I think, Tim, we see so many one-time password code or MFA prompts – let’s just call it that. MFA prompts in general in our lives, we almost can’t keep them straight anymore, Tim. Remember you and I have made this joke before. Back in the old day when we all had the hard tokens, the good old RSA things that we would carry around. If you had to have multiple systems we’d have to carry around multiple pieces of hardware and it just got kind of crazy after a while and then in walks software-based tokens and hallelujah, that solved everything. Well, now our lives, Tim, are just so MFA inundated. I got news for you – I have so many different MFA systems that I have to log into, if you were to ask me, Jay, name me every MFA system that you have to interact with on a daily basis, I bet you I couldn’t even list them all. I would forget.

  And so, therefore, if I randomly got a log in that comes up and I tell you, even where I have my own fatigue, Tim, is corporate policies - - and by the way, this is not my current employer. This is every employer that I’ve ever seen, other people I’ve ever worked with; this is across the board. Quite often, you remember, Tim, where there used to be policies of password changes need to happen every 90 days or whatever it was and that was a pain in the butt.

• 

  Tim Callan

  And your password, it has to be at least 18 characters long and contain one of everything you can have and no two characters can be repeated in a row and it can’t have any words that are in the dictionary and so they were unfeasible. You could not remember them and so you had no choice. You had to do something like write them down in a notebook and now you are carrying around a notebook with a page in it that clearly has a bunch of your passwords in it. It was awful. Awful.

• 

  Jason Soroko

  So, Tim, let’s fast forward to now and what we see is a kind of version of that is you probably have, Tim, a PC or Mac or whatever that probably logs into various services that you are not necessarily directly logging into and using. Sometimes it’s just your computer is logging into services and those services require an MFA challenge to be completed. I could tell you an example of sometimes internal corporate systems that log into various Microsoft stack technologies might require a computer that hasn’t been turned off in a week or two or three might require a re-login. Even though you’ve been logged in, you’ve successfully were challenged and you successfully authenticated, you might be re-challenged through time and those corporate policies are meant to be safe because let’s make sure it's really you. Well, the problem is I get prompts all the time. In other words, Tim, somebody could probably come up with a better name for this – unsolicited MFA prompts.

• 

  Tim Callan

  You are just doing your business and all of the sudden you are being prompted and like you said, I’m gonna open up this particular application or service and then you get your prompt. You are using it. You are there and suddenly there’s a prompt and I have to solve this prompt or I can’t continue using it. So, under those circumstances, I stop questioning those prompts because there’s no contextual information that I can use to tell me this one is real and that one is not.

• 

  Jason Soroko

  I can tell you that Microsoft’s stack of technologies does that and it does it mostly because of enterprise IT corporate policies but it also happens more in my private world where Apple for a long time - - right? Tim, you’ve seen this. You’ve worked with Apple products. Apple for quite a while had just random authentication challenges that came out of I don’t know where. And, unfortunately, it taught people to just respond to authentication challenges because I don’t know what system is challenging me but I do know that it is asking me to do this and something on my computer isn’t gonna work and furthermore, if I just click cancel, I’m probably gonna be asked again in five minutes. So, I’m just going to say yes. In other words, I’m fatigued. And I don’t even care what’s prompting me anymore. Just please function. We are talking about the ultimate worse way to train users about how to treat authentication.

  Imagine if people randomly came up to you with your door lock for your personal house, walked up to you just with your door lock and said, hey, put your key in her and turn it otherwise something is not gonna work for you today. That’s what you are being taught to do. Well, at some point, the bad guy, especially with MFA and the ease of stealing username and passwords you are gonna be prompted over and over and over again with some sort of challenge to a legitimate system and you might not know what system is challenging you. Even if you do know what system is challenging you, you might say to yourself, oh, this must be some kind of IT glitch. I don’t really care. I just want these messages to go away. I will complete the authentication challenge. And guess what? We now have the Uber breach. We now have other breaches that we are hearing about as well, Tim. This is a big issue – wanted to call it out.

• 

  Tim Callan

  I think that’s a good one and, this has been part of a big theme we’ve had. We’ve talked about various ways that MFA can be defeated and talk about MFA not being the be all end all that a lot of people seem to think it is and we’ve even talked about how when you are overestimating the effectiveness of something like MFA that that itself actually becomes a liability. And I think this is an important next piece in that story, which is this idea of MFA fatigue. That’s a great explanation, Jay, and I’m glad we talked about it today.

• 

  Jason Soroko

  Thanks a lot, Tim. And I’m glad you brought that word liability again. I just can’t get over, we’ve now gone from it being the savior of username and passwords to now articles like from really legitimate technical journalists such as Brian Kreps calling it a corporate liability. Folks, you should pay attention to that. I know how prevalent it is but there are ways to rethink how we do authentication. And, Tim, that’s what we try and do in this podcast.

• 

  Tim Callan

  That was our Episode 245. 245 – one-time passcode as a liability. So, you can go look at that one, too.