An Adversary’s Perspective: 2FA

Julian Cohen
5 min readMar 10, 2021

--

Before you turn on 2FA, think about it from an an adversary’s perspective.

Lots of security teams like to turn on 2FA because it’s “obvious,” it’s a compliance requirement, and it’s nearly 100% effective against password reuse and credential stuffing attacks. And while password reuse and credential stuffing are two of the most common and fastest growing tactics among adversaries, there are some cases where an organization may not tolerate mandatory 2FA, like employee friction or customer retention. So, let’s take a look at 2FA through adversary intelligence and find out if there are more effective or less intrusive controls we can use to achieve the same goals.

https://treewebsolutions.com/uploads/article/17/what-is-two-factor-authentication-2fa_gZwO-TE0sFw9oyvO.jpg

Adversary Tactics

Password Reuse

Password reuse describes the practice of using the same password across multiple sites and accounts. It also describes the practice of an adversary compromising credentials from one organization or buying a set of stolen credentials from an underground marketplace and using those credentials to log into an account to gain access to an organization.

Credential Stuffing

Credential stuffing describes a few different kinds of brute force attacks that use information about which credentials are likely to work. Credential stuffing may use most common password lists, passwords and/or usernames stolen from compromised sites or purchased from underground marketplaces, or full sets credentials stolen from compromised sites or purchased from underground marketplaces.

MITRE buckets password reuse and credential stuffing into valid accounts. This is also known as account takeover (ATO). Many different adversaries are known to use compromised credentials.

SIM Swapping

Some adversaries that are motivated by stealing cryptocurrency and social media accounts are known to bypass SMS 2FA by using a variety of techniques to steal a user’s phone number and redirect their text messages to an adversary-controlled phone.

Security Requirements

Our security goal here is to reduce or prevent password reuse and credential stuffing, to prevent accounts from being used as delivery mechanisms for an intrusion, because accounts have access to data and resources and those things are valuable to the business.

Two Factor Authentication

Obviously, the easiest solution here is to turn on 2FA for everyone and require every account to have a unique and random password generated and stored in a password manager. But there may be business requirements or goals that prevent this from happening and users may not be complying with security policies regarding 2FA and password managers.

Unique credentials across accounts

We can achieve the same effect as 2FA, by simply having every account have a unique and random password.

No easily guessed passwords

Without 2FA, any common or easily guessed passwords are a problem so we need to prevent those as well.

Detection of compromised accounts

Even if we have reused credentials and easily guessed passwords, we could still be okay if we have early detection of when those credentials are used and are we are able to quickly disable those credentials and any established access.

Controls

Now that we have more specific requirements, what controls other than 2FA can we use to achieve them?

Password Managers

Deploy a password manager and its browser extensions to every employee device and train your employees how to use the password manager. Use built-in auditing features like password scores, compromised account detection, and password reuse counts to determine which employees are using the password manager properly and which employees need more incentives and training.

Single Sign-On

Single Sign-On simplifies account management processes like onboarding, offboarding, and password resets. But where SSO really shines is when there’s evidence of a reused password or a compromised account, you can disable that account across your environment until the user changes their password.

You can also add transparent 2FA in your enterprise by requiring certain logins to originate from company-managed devices. (You can also call this beyondcorp or zero trust, if you really want to).

Account Access Telemetry and Detection

Collect successful and failed logins and associated details like IP address, user agent, location, and more from your SSO system and other systems users log into. Pipe them into your log manager and write simple detections like:

  • When a user successfully logs in from two locations in an amount of time that is shorter than it would take to physically travel from one to the other.
  • When a user successfully logs in from a device we’ve never seen before and we have a reasonable history of devices.
  • When a user successfully logs in from a known malicious IP address.
  • When multiple users attempt to log in from the same IP address or location that isn’t explicitly allowlisted.

Compromised Account Detection

Services like haveibeenpwned and SpyCloud can alert you when credentials from your organization show up in public breaches and underground marketplace sales. Use these alerts to know when to disable accounts or force password resets.

Password Reuse and Credential Stuffing Testing

Run tests against the systems your adversaries are most likely to attack. For example, your internet-facing VPN, your publicly accessible employee dashboard, and your employee e-mail accounts. Any successful test should result in notifying the affected employee, giving them a reasonable amount of time to change their password, and subsequent monitoring of their accounts. In some cases, you may want to perform an audit of their access, perform a threat hunt focused on their accounts, or enforce 2FA on their accounts.

Canary Credentials

Deception technology can be useful for obtaining early warning of an imminent intrusion. Seed your most critical vendors with fake credentials and create fake employees with easy to guess passwords. Collect telemetry around when these accounts have successful logins and create response and recovery runbooks for when your canaries die.

Conclusion

You don’t have to turn on 2FA to build an effective defense against password reuse and credential stuffing. But, it’s always important to keep your adversaries in mind. If you have adversaries that utilize SIM swapping, you should make sure that you’re using U2F or TOTP 2FA instead of SMS 2FA. If you have adversaries compromising phones or other devices that may impair the efficacy of different types of 2FA, make sure you include that in your analysis of controls.

Even if your compliance or regulatory framework requires 2FA, doing this analysis gives us a great narrative around compensating controls for 2FA and that our controls and account security program is as good as or better than 2FA.

We know that adversaries are going to use the least costly, simplest, most scalable, and most repeatable tactics to achieve their goals. And we know that defenders should choose controls that raise attacker cost the most and are the lowest cost to implement. But different organizations have different tolerances and costs for implementing high-friction controls like 2FA.

--

--

Julian Cohen
Julian Cohen

Written by Julian Cohen

Risk philosopher, CISO, Program builder, Advisor, Investor, Ex-vulnerability researcher, Ex-CTF organizer and competitor.

No responses yet