Understanding the FBI's Private Industry Notification on Multi-Factor Authentication
Posted by Guest Blog

Guest Post by Paul Kenny, Chief Technical Architect, EMEA/APAC

Heeding the FBI is wise, but misreading the Bureau can be disastrous. And never has this been truer than in the context of the FBI’s recent Private Industry Notification on Multi-Factor Authentication (MFA).

A cursory look at this notification (or worse, a glance at some of the newspaper headlines it’s been generating) might well lead you to believe—quite mistakenly—that MFA is a vulnerable and unreliable security framework.

In truth, the FBI is saying nearly the exact opposite—that MFA is a necessary and wildly effective means of preventing upwards of 99.9% of all cyberattacks, but that not all MFA is created equal, and that the very best security framework is an "advanced" MFA implementation that utilizes the strongest authentication factors such as physiological and behavioral biometrics.

In fact, when the FBI reports to have “observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” it is referencing the very attacks that an advanced, biometric-based MFA platform (like IdentityX) is designed specifically to prevent.

To help illustrate this point, let’s quickly walk through the attack types listed in the FBI’s notification to see how IdentityX protects against them:

Attack 1: Knowledge Based Authentication (KBA) 

In the age of social media, KBA factors (i.e., secret questions like “what’s your mother’s maiden name?”) provide little if any real security, in addition to creating a horrendous user experience.

IdentityX is not susceptible to KBA attacks, whether through social engineering of the data or through flaws in the system’s implementation (as was the case cited by the FBI) because firstly, IdentityX does not rely on easily compromised KBA techniques and secondly, in regards to implementation, IdentityX uses peer reviewed standards such as FIDO.

Attack 2: Sim Swapping

Though not as overtly problematic as KBA, using One Time Passwords (OTP) over SMS is not an entirely secure process either. OTP over SMS is susceptible to multiple attack vectors, including both SIM Swapping and social engineering (to con the user into sharing an OTP code).

IdentityX provides numerous options with much stronger security than OTP over SMS, ruling out vulnerabilities such as SIM swapping. In addition, our use of the FIDO standards-based authentication protocol prevents against social engineering of OTPs.

Attack 3Man in the Middle & Phishing

At the risk of becoming a broken record, IdentityX is implemented using the FIDO standards, all of which (U2F, UAF or FIDO2/WebAuthn) use origin bound keys. This makes IdentityX resistant to man in the middle and phishing attacks, since those keys can only be used with the verified HTTPS website (or API) for which they were registered.

Therefore, an IdentityX user cannot be tricked into authenticating on a fake website only to have that authentication copied and re-used by an attacker on the actual website.

MFA Done Right

Certainly, systems that rely on a single authentication factor are more vulnerable to attack than those utilizing MFA. But the FBI’s key point is that your MFA security is dependent on the security of its underlying factors.

Rejecting MFA, broadly, instead of weak factors, individually, is a tragic misreading of the technical reality.

Passwords and secret questions can be hacked or guessed. Tokens and keys can be stolen. But biometric factors—especially when combined—are exceptionally secure while also reducing the friction of an authentication process. It is for this very reason that the FBI states:

“[Our] best advice to companies, over and above an increasing level of user training, is to deploy biometrics to assure user identities.”

So yes, please heed the FBI’s advice. But please don’t be discouraged from moving to MFA, when in fact our industry’s real problem is the under-utilization of MFA by technology users (less than 10%, according to Microsoft).

If you’re interested, you can read more about Daon’s enhanced MFA here or contact us at info@daon.com to speak with one of our experts.