WOOF! Newsletter

July 11, 2024

Next-Level MFA is Here – Ready to Combat the Phishing Attacks That Free Authenticator Apps Can't

Using free authenticator apps is good, but they still have risks. Luckily, next-level MFA is here with Cisco's Duo app.

By now we all know what Multi-Factor Authentication is. You log in to a website, and it either sends you an email or text message with an authentication code, or you enter a code generated by Microsoft or Google authenticators.

Input the code and you’re logged in safely. Right? Well...not so fast.

While MFA has improved web security a lot, it’s not stopping ALL credential-based cyberattacks. Cybercriminals have figured out a few ways around MFA.

A 2020 data breach report found that 67% of breaches came from credential theft, human errors, and social attacks. This is how cybercriminals bypass MFA...by targeting the person, not the account.

What’s the solution? Upgrade to next-level MFA!


Meet Duo – MFA Phishing Resistance in App Form

In this WOOF! issue, we’re talking about Cisco’s Duo authenticator app. Duo is a subscription-based authenticator solution. The authenticator enables quick, secure access to your company’s online applications.

To keep phishing attempts out, Duo provides several authentication options simultaneously – but users only need to use one or two.

The front end is an App, connected to a backend which sets the policies for access.

The app gives a user an authentication code for logging in to whatever service they want – email, Salesforce, a VPN, etc. You can also use Push Notifications instead of authentication codes.

The backend is where your IT department (or MSP) sets access policies and types of authentication. It also runs device verifications in the background.

 

2 Phishing Attacks that Bypass Standard Authenticators

  1. Social Engineering
    • What It Is: A method of manipulating people (often through email or phone calls) in order to obtain or compromise information about an organization or its computer systems.
    • How/Why it Bypasses MFA: Can trick users into handing over the MFA code to someone else…rendering it useless!

  2. Spear Phishing
    • What It Is: A targeted attack on an individual, finding & using their motivations to trick them into revealing information. Like their bank account information.
    • How/Why it Bypasses MFA: Can trick an individual into acting hurriedly, following a login process they’ve done many times before…not realizing they’re entering secure information in an unsecure location.

 

How Duo Blocks Social Engineering AND Spear Phishing Attacks

The key here is to make access simple for the user, and complex for the cybercriminal. A standard authenticator just gives you a code; it’s easy for the user, but also easy for the cybercriminal to manipulate that user into sharing said code.

Duo keeps it simple via an easy-to-use app…but then hides a lot of verification power behind it.

Here’s an example of how it works.

When using Standard MFA:

  • You get a phone call from [fake] “Tech Support.”
  • They email you a link that looks like your company’s VPN access page. (It’s also fake.)
  • You click the link under Tech Support’s prompting, enter your username & password, and click OK.
  • You open your Microsoft or Google Authenticator app, get an authentication code, and enter it on the fake VPN access page.
  • “Tech Support” says everything’s fixed and hangs up.
  • That was a cybercriminal. During the conversation, they’ve captured your username, password, and the MFA authentication code.
  • They can now go to the real VPN access page, log in as you, and gain access to everything inside the company VPN.

 

When using Duo’s MFA:

  • You get a phone call from [fake] “Tech Support.”
  • They email you a link that looks like your company’s VPN access page. (Again, also fake.)
  • You click the link under Tech Support’s prompting, enter your username & password, and click OK.
  • You open the Duo app to get your authentication code.
  • Duo throws a warning. “Are you sure? This doesn’t look right.”
  • If you continue:
    • You enter the Duo authentication code. “Tech Support” hangs up, but the code they captured will expire in seconds.
      • Their access attempt also comes from a device Duo doesn’t recognize…so it refuses to grant access.
    • They try to log in to the company VPN, but the code fails, and the VPN refuses their attempt.

 

Real-Time Authentication AND Device Verification

The Duo app acts as a ‘soft token’ for its system backend. In order for Duo to give a user the access they want, the app must send information to the backend. That information must match all the characteristics already logged in Duo’s system:

  • Device ID
  • User account name
  • Password
  • Notification method (if Push Notifications are enabled)
  • Validity of service accessed
  • And more (if pre-set)

To demonstrate, let’s go through what a normal Duo use case looks like.

Say you want to access the company Salesforce account. The company has enabled the Push Notifications feature.

Using Duo, this is what you’d do for access:

  • Begin logging in to the Salesforce account (also works for VPN, email, portal, etc.) with your normal username & password.
  • You get a notification on your phone. It’s the Duo app with a question, and Approve/Reject buttons. “Are you logging in to Salesforce?”
  • You tap the “Approve” button.
  • Duo sends the authentication over to Salesforce.
  • Access granted.

This takes what, 10 seconds?

What the Duo System’s doing at the same time:

  • Duo system gets a notification; Bob the User wants to log in to Salesforce.
  • Duo system sends a push notification to Bob’s phone.
  • Bob approves; device is verified, and user is authenticated.
  • Does the account match to an approved service (in this case, Salesforce)? Yes; valid access.
  • Does the system want an additional authentication from the user?
    • If yes, Duo app prompts them to do a fingerprint scan or biometric scan. Then grants access.
    • If no, grant access.

Again, all happening within 10 seconds.

 

More Advantages to Using Duo

  1. Easy way to keep unauthorized access out of your network. No Duo account, no code, no login!

  2. Creates a culture of security awareness. New employees get Duo when onboarding, showing them that the company takes its security seriously.

  3. Duo has a Restore feature. If you change/lose your phone, your IT team can move your Duo app to a new phone. No need to re-register and jump through validation hoops.

  4. Friendly with Active Directory. Duo works with AD natively, whether it’s on prem or via Azure.

  5. Hard tokens are available for end users who do not have company mobile phones and/or don't want to put company apps on their personal phones.

  6. Fully supported. Duo is a paid app. This is good for you, as it means the team behind Duo has liability for the product. It's their job (literally) to keep Duo current and stable.
    • Cost is low, by the way – just $3/month per user for the Essential version (which PlanetMagpie has deployed for many customers).

 

Next-Level MFA Helps Keep Phishing at Bay, Without Complicating User Access

If a cybercriminal wants to gain access to your company’s cloud services, he can do it one of two ways.

  1. Try brute-force access with specialized software. No guarantees here, and it’s easy to catch.
  2. Obtain a valid login/password for a current user via phishing. Easier, and a higher success rate than brute-force. This is why phishing is so popular.

Duo gets in phishing’s way. It strengthens every user’s login, keeping their access safe, every day. In about 10 seconds. Phishing doesn’t stand a chance.


Does your network need phishing-resistant MFA? Contact PlanetMagpie’s Support Team to try Duo, at sales@planetmagpie.com


Robert Douglas, IT Consulting Team Lead

consulting@planetmagpie.com