TECH-IT-OUT: MFA, SAML, Single Sign On Authentication and MFA Fatigue

Show Notes

In this episode of Krome Cast: Tech-IT-Out we discuss Multifactor Authentication, SAML Authentication, SSO Single Sign-On and how to protect users against MFA Fatigue.

This tech panel podcast features Krome's Commercial Director, Sam Mager, along with Krome's Head of Security Operations, Paul Edwards, Technical Director Ben Randall, and CTO Rupert Mills, sharing their insights on MFA authentication best practises and how you can protect your organisation from an MFA Fatigue attack.

► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.

► KROME WEBSITE: https://www.krome.co.uk/ 

► CONTACT 
• Telephone: 01932 232345 
• Email: info@krome.co.uk

► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.

► KROME WEBSITE: https://www.krome.co.uk/

► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/

► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk

Transcript

0:01

Welcome to Krome Cast, Tech-it-Out. I'm Sam Mager, Commercial Director for Krome Technologies. I'm joined once again by my business partner, Rupert Mills. Head of Security Operations, Paul Edwards. Good morning Sam. And the one and only Ben Randall. Hi Sam. Hi, guys. So today we're talking about user security, specifically, MFA, SAML authentication, Single Sign On, and I guess some of the some of the news we've read recently, some breaches and so on around things like MFA fatigue. So we'll talk about some of the technologies, but I guess some of the some of the pitfalls, what's happening to these people, and I guess, some of the behaviors we can we can talk about and invoke amongst our client base and user base to hopefully, educate and stop some of these behaviors. Cool, so I'll take my technical hot potato, and throw it to one of you to grab. Yeah, I think what you were talking about earlier with the MFA fatigue thing, it's, it's particularly prevalent at the moment, because it's become the new sort of favorite method of access for a lot of the groups of bad actors, shall we term them as. But it's become something that people have, we spent a long time educating the user base to, let's get multifactor authentication involved, this is how you use multifactor authentication. And then people come up with ways to work that to manipulate the people to give them what they want. So if we explain MFA fatigue to start with, for those that don't understand it, it's essentially where you keep bombing the person with MFA request after MFA request after MFA request, till eventually they give up and approve it. So on a lot of MFA techniques, for example, if we focus on authenticator apps, Microsoft authenticator, Google Authenticator, or something like that. You have the one push, yes, I approve this, when you get an authentication request. And what's happening is people are picking on individuals at odd times of the day. So in the middle of the night, your phone keeps beeping at you at one o'clock in the morning saying, do you allow me to authenticate? Do you allow me to authenticate? You're tired, you've just been woken up by your phone, you're frustrated because it keeps doing it, and eventually people will give up and just go oh, just go away and press yes. Stop beeping. Yeah, stop beeping. And at the point, you press yes, and stop beeping, what you've effectively done is said yes, I approve this person who's trying to access my account to log in and access my account. So someone's compromised a password at that point, and they're just pressing the authenticate, authenticate, and you've given in. Yeah, till eventually you give in, yeah. And you talked about breaches, there's been some famous ones recently. Notably, Uber is probably the one that's made the most press, but Cisco and a few others. There's, I think Australia's second biggest telco company called Optus from top of my head, have basically had a massive breach as well, it's really big news in Australia. But it's it's very common for this sort of thing to be starting to happen and it's causing a lot of people challenges. What you've got to do is look at the big push for a while has been implement MFA, everybody get MFA out, they're getting it implemented. And now it's a question of, have you just implemented MFA? Or have you implemented MFA well? Which now, I'll hand over to the two real experts in the room, and then talk about implementing MFA well. Yeah, I mean, the thing to consider, obviously, there's, there's MFA, and that covers a whole field. So we've got, there's not just like your app on your phone. So you might have, you know, at the most basic level, we've got some things like an SMS notification, you get that from your bank, and so on, where you receive a code from them, and then you put that into the website, and that's the number one thing you hear about scammers trying to get people, call people up and say, oh, we just need you to give the code and try and gain access to a bank account, or something like that. Additionally, SMS is relatively easy by sort of human engineering methods to gain access to those messages. It's not particularly secure, it's better than nothing. But yeah, and then then obviously, we're going into the, the apps, as you say, where you have a, what they call a one time password, where you've got the code that comes up, that's fairly secure. But again, there are weaknesses in that in that you can have a proxy attack, I guess we can go into a little depth on that later. But the one you're really talking about is the approve/deny, You know the, this is me, this isn't me, and it's so easy to say yes, on that. And so, you know, the, and in addition to the app methods, then we've got things like, FIDO keys, so like, the commercially the YubiKey and other equivalents, which are very secure, because you need a password, passcode and the physical key with a certificate on it. Yeah. To authenticate. I think if you do some reading around the subject, the YubiKeys and things like that, they're they're great devices, but they're not in supporting in as many places the authenticator apps yet and stuff, so there's, rolling them out is a good idea and they're great pieces of hardware, but there's it's, a lot of people still relying on the authentication app, and then if you don't just go with the approve/deny, it's a question of okay, how do you make that more secure? I mean, Paul, how would you how would you take that away and make that approve/deny piece more secure? So we could look to change that to provide a prompt to the user, so it's not just a yes or a no, it's, it gives them a challenge. So enter a number, select a choice of, Microsoft just recently rolled this out to to personal accounts, currently in preview for the business accounts, but gives you a choice of three, three numbers. So you have to select the right one, in order to be able to log in, you get the wrong one, it's essentially a deny. There's another full - Does it lock you out at that point? I'm just thinking about obviously, very similarly, put your pin number in the wall, if you put in three times you can't get into your bank account. If someone's trying that continually knocking until you give in, but you have to put in something which isn't isn't necessarily just go, and you get that wrong, can it then lock you out and prevent and potential someone just keep going until you give them the right one? So that's coming, it's in preview, certainly on the Microsoft side, not yet, it won't lock out your account, but it won't lock out the MFA aspect of it yet, but soon, that's gonna be a feature, so definitely one to enable. I think Microsoft are the planning on switching the default authentication method to be the the prompt and response method basically, so you'll get a number pop up or whatever. Once it's, once it moves out of preview, they're planning on all the business Azure AD, it'll be the default method just because this MFA, basically social engineering. Social engineering is starting to make it much easier to work out, let's not hack the computer, let's hack the person, and work out how we do that. I think there's the other one that's very common, or be it slightly less in the headlines, is people phoning up, I'm from your IT department, I'm your administrator, you need to reset your password, we need to go through this process with you. Let me dial into your computer while you do it, and that sort of stuff. And that's all going on as well at the moment. So it's all, we've talked about on this podcast before, but actually the education of the user base as well as implementing best practises for security are - We've talked lots about MFA, I mean, that's been the big thing, is that the one thing you really should implement that that kind of bolsters any security strategy, is make sure you're using MFA. So that then becomes the attack vector, right? Because everyone, everyone's gone that way. So everyone wants the, everyone's talking, or everyone knows about, everyone has had MFA, I wouldn't say pushed on them, but it's been rolled out in kind of, in anger and earnest because we all need it. That becomes the obvious point to attack now, does it not? Yeah. Yeah, I think it's the, if you go back away, sort of MFA, MFA used to be token keys like RSA token keys and things like that. And they'd have a code on it, rather than you just pressing approve. And I think there's that, okay, we need to get MFA out, but we need to make it simple for users. So they say right, now, instead of having a code, you just press approve on your phone. Yeah. The next step on from that is people think, okay, how can I attack that? And how can I target it? Because it's not a code anymore, and because you've actually just hit approve, if someone wakes you up in the middle of night says, go and get that old token key out of your out of your bag, and type in the five-digit PIN code, you're not likely to do it. Whereas if your phone's sitting next to you, as everyone does at night, put your phone on the bedside table or whatever, beep beep, beep, beep, oh just go away. So it's now a recognition by the vendors, they need to go a step back and say, okay, this was making it easy for people to use, because we needed that for user adoption. Majority of companies have now adopted it and users have got used to it, okay, we do need to have this. It has been the case in some organisations for years, but now it's kind of generally the case for every organisation, and now what's happening is that now we need to secure it again, because it's that, people are finding ways around hacking the person. Yeah. Yeah, I mean, it's about the the sort of the, the adoption, it's the, how high is the bar to adoption, like, when you have those, those external keys, they're quite expensive - Yeah. Difficult to implement, obviously, it's got a lot easier with things like the MFA apps and so on, and getting the users to agree to do it. And then you make it, it's trying to improve, improve security while also improving the sort of the user experience. Yeah, absolutely. Yeah and the keys, people leave them at the bottom of a bag as I mentioned a minute ago, but oh I've lost my token, this that and the other. People tend to take care of their phone. So again, it's something that's with you, it's something thats prelevent. That's why a lot of stuff switched to SMS years ago, was because that whole Okay, we'll send something to your phone, rather than you needing that that key with you all the time. Yeah. I mean, the banks, you were, in the early days, were rolling out all the little, here's your bank security MFA device, you just don't see them anymore. Because it's either on your phone or done in some other way via an SMS. But it's just no one uses the devices really anymore, but there is still need to make sure that you implement it securely and you do put it on. So you talk briefly about proxy attacks, I mean that's probably worth highlighting as well, because that's an interesting alternative that - Yeah, absolutely. The the situation where you've got a, you log into the website and go into whichever thing it is, and it asked you to put the code in which is on your phone, which obviously rotates every 30 seconds. Now a key feature of that, they call it a one time password, but actually it's not. It's a it's a short lived password, so it lives for 30 seconds. You could actually use it as many times as you like in that time. So what's happened is that the, the the bad player, the bad attackers or whatever, have created a website that looks exactly like the one you need to log into, they trick you to get to that via some other pop up or whatever social engineering method, and that passes through the the actual authentication page, the authentication that you're doing to the actual genuine site. So for example, it's your web, your bank's website, you log in, it looks like whatever bank, you log in there, you enter your code, they take that code and use it, but then also pass you through to the to your actual bank, so you log in, and they log in at the same time. So you're none the wiser that anything bad has happened, but they've got your account. Yeah. And that, obviously is a, is a challenge. But I think that with the, with the actual code matching method, I don't think it's possible to do that, because they'd have to log on as you in advance, to actually send you that, display the code, which you're going to select on the phone as being the correct one. So in some ways, I think it's actually better than the rolling code, Yeah The short live password, or one-time password. I guess they'd have to pretty quickly generate the image to send you, which numbers or whatever if they were going to do it that way. Yeah. It's a bit more a bit more thought a bit more - Yeah, I mean, it's not impossible, but it's - I'm sure something will happen. I was about to say, someone at some point, that's obviously the next iteration of - Yeah. But it's just, if you go back to what Paul was saying about account lockout, if you implement something like that, it's like okay, much like you have password lockout, if you enter your password wrongly five times it locks your account. You have MFA lockout and say, okay, when you MFA badly five times, if you've then got to select the one from three image or one from four image or whatever it might be, you get to that point of the likelihood of you selecting the right one within that five becomes smaller and smaller, then you lock your account out and you go back to, I need to go back to my IT Admins and ask them to unlock my account, Yep And when you've got security products in place, I mean, you tell me, I'm assuming that Sentinel and things like that, would pick up and be able to say, okay, actually this, the password is alright, but it failed MFA? Yeah you can, you can see that, you can see the location, you can see a number of attempts, you can set thresholds on - So would things like Darktrace and Sentinel would see if someone's had, if somebody's repeatedly asking them to authenticate. Can we just like at that point go, well, no. Yeah, that's exactly it. Yeah. Additionally, actually, you'll have the what's known as risky logins. Yeah. Which is detection, so for example, I've been to those websites... Well, if, [laughter] for example, if we had, you logged in here, and then here almost instantly, Yeah. As in with that, with that proxy attack, I suspect then the risky logins could be triggered if one's in Thailand and one's in the UK or wherever. Yeah, impossible travel. I was with the team yesterday talking about, we had one with I think it was Birmingham, Cardiff, and then Spain, somewhere in Spain, don't know specifically, but within about 10 minutes of each other. And to be fair, it was someone on a VPN, but it was that whole it was flagged because it got picked up by the, by Darktrace, I think it was it, might have been Sentinel, of going around and finding this person that logged in, in three places oddly, all at once. Yeah. It's just patterns that fall outside that normal users behavior. Say if they only login from a certain place, and then suddenly, they're logging in from over here, or multiple places, it sets alarm bells going off that actually it might not be be the user. Yeah, I was doing some admin work on Sunday on one of our servers that I don't log into very often. And our 24/7 team actually contacted me on Teams while I was sat there saying, have you just logged into this? Because we've had an alert. Yeah, actually, I'm doing some work on it. Oh okay, cool, we were just checking because we could see that you'd logged in, Probably delete you but it was outside of, exactly. Delete me, fair enough. [Laughter] But outside of my normal pattern of behavior, so. It's it's having all of those tools layered on each other, going back to educating the users - As someone looking at it. But implementing things like MFA well, and continually tightening that security posture, That's what I was going to say then. So obviously, the, the pushing MFA out is great. It's made it really easy because it is just a login here, put your fingerprint or whatever it might be here, and you're in But that's sort of, saying that's almost too easy, right? So, so what would you guys recommend is, to our clients as it were, what should they be thinking of? What's the easiest next step that gives them the kind the best level of security without becoming too onerous, where you're carrying multiple different things and things you could forget, and so on. I would say that, looking at where you can use Single Sign On technologies, such as SAML. So for example, if you've got, if you're a Microsoft user, and you've got Microsoft Azure, you know, M365. Yeah. You could be using the MFA to log into that, and so you've got credentials in Azure, you've got that account that you log in with. You can also integrate using authentication method in the SAML to authenticate authenticate other services, which are not directly related to that, you can actually use integrate that authentication. Okay, yep. So this is something which multiple of our clients are going through at the moment, is adding SAML authentication, so they can use the same login as they use for everything else, rather than having a separate set of credentials. Yeah, yeah, yeah. Which chances are, would either need a separate MFA platform, you know, so they can use the same authentication, same password, same MFA method for all these different services, and apply the same conditional access rules and so on. So, thus making it easier for the user, and they're less likely to have a password written down somewhere. Yeah. That's the -[Laughter] Back to the challenge, again always being, perennially being the person in the chair rather the system and the security, right so. The other thing to consider is actually is that, never underestimate the resourcefulness of a user to actually find a way around, around to make things life easy for themselves. We've all heard about the post-it note with the password on the monitor, but one we came across recently, was was in a warehouse, an actual barcode on the on the, they've realised that the barcode scanners that they had with them, could actually scan text, scanned into text, so they put their password in the barcode form on their laptop. So they could scan that and then log in. Well, which I thought, you know, hats off for ingenuity, I hadn't even thought of that. But unfortunately, that's behavior to be frowned upon. [Laughter] Yes, indeed. But again, it just shows you it's it always comes down to I think, it's the education isn't it. There's great technologies to a, protect the MFA piece well, but then to notice if there is bad actors and unusual behaviors, and so on, but the key thing is always the education of the user base as to the importance of MFA, and not being silly and not trying to be super resourceful and scan your passwords or, you know, sticking it on the back of your laptop case, and all that sort of stuff. Bad actors will go for the weakest target essentially, the easiest thing to breach and quite often, that is the human element. You can put all the tech resources there, but if the user is going to click approve on an MFA prompt and let them in, then then that's the easiest, the, the most cost effective route into that into that business to compromise them, so. yeah, easiest return, isn't it? Yeah. Tidying up old accounts inside systems as well, equally important, because that bit, if you get in as a user, you're still at a user level of privilege. Once they're in the system, they then start traversing internally looking for things, and if you have old admin accounts that have been left there, that aren't in use, and that sort of stuff, that tends to be the next step on because normally, that initial compromise gets them in at that level. Once they're in, they stay in and they start traversing around trying to find something so. So housekeeping internally, as well, as is an absolutely important one. Removing local accounts, or restricting if there's say two login pages, one that's protected with MFA and SAML, and one that's maybe not, maybe a page that should be internal only, or one that's maybe just forgotten about, just didn't know it was there. And if there's a way in without MFA, then that's what they're going to use, because it's easier. Okay, so I guess in summary, it's it's, as always, user behavioral training, having the right tools that aren't too onerous, but are very secure, making it as easy as possible, and then housekeeping. Yeah, and tightening up your MFA. So when it all goes live with with sort of business, for the, for the next MFA methods, get them tightened up and get them moved forwards if you are using one-touch passcodes at the moment or one-touch authentication. Keep it under review. Yeah. Alright guys. Thank you as always, always insightful and a little bit terrifying. And I shall be reviewing my own. I will be taking my password off the top my laptop after this podcast. I haven't Paul, you haven't got to check, it really isn't. [Laughter] Thank you guys, I appreciate it as always. Thank you, Sam. Thank you. And thank you for joining us on this episode of Krome Cast, Tech-it-Out. If there's anything you'd like us to cover in future episodes, then leave that in the comment section below. Remember to like, subscribe, and share, and join us again next time on Krome Cast, Tech-it-Out.