HC3 Provides Guidance on Multifactor Authentication and Highlights Smishing Risks
The Health Sector Cybersecurity Coordination Center has published guidance on multifactor authentication (MFA) that explains why MFA is important for security, some of the problems that can arise from implementing MFA, and how threat actors can successfully bypass MFA controls.
Multifactor authentication involves a knowledge factor, a possession factor, and an inherence factor for authentication – something someone knows, has, and is unique to the user. Multifactor authentication eliminates password risks – such as weak passwords being set, or passwords being obtained – and makes it harder for unauthorized individuals to gain access to accounts, networks, and sensitive data.
In contrast to 2-factor authentication, which requires a user to prove their identity twice, MFA requires identity to be proven multiple times. In addition to a password, authentication occurs through one-time passwords (OTPs) sent to a mobile device, hardware tokens, software tokens, biometrics, and push notifications.
While any form of multifactor authentication is better than single-factor authentication, having MFA in place will not necessarily protect accounts from unauthorized access. One of the ways that MFA can be bypassed is through phishing and smishing (phishing conducted via text message). Smishing attacks can be more effective than email-based phishing attacks which are often blocked by email security solutions and identified by employees who have had security awareness training and are aware of the risks of clicking links in emails. Smishing messages are successful as SMS messages are more trusted than emails.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
When individuals are tricked by phishing and smishing attacks and disclose a password, multifactor authentication should prevent access to an account using the disclosed password; however, MFA controls can be bypassed. In an MFA fatigue attack, the threat actor bombards a user with MFA push notifications. The notifications will keep on being sent in the hope that the user gets worn down by all the requests and slips up and approves a login request. If the MFA request is approved, the attacker will be granted access to the account. To limit smishing texts iPhone users can “filter unknown senders” in their settings and Android users can activate caller ID and Spam Protection.
Other recommended methods for reducing risk from MFA fatigue attacks include providing users with more context in push notifications, adopting risk-based authentication, limiting authentication requests, and providing security awareness training to make users aware of MFA fatigue attacks. Healthcare organizations should also consider disabling push notifications as an authentication method and implementing FIDO2 (passwordless) authentication.
MFA may also be bypassed using MFA phishing kits, which are used in adversary-in-the-middle attacks. The threat actor positions themselves between the victim and the destination server and intercepts credentials and MFA codes when they are entered by the user. Since credentials are obtained along with an MFA token, the threat actor can impersonate the user to gain access to accounts. To prevent these MFA bypassing attacks, organizations should consider implementing phishing-resistant MFA.
