How to protect integrity of multi-factor authentication

As organizations increasingly adopt multi-factor authentication (MFA), hackers are stepping up their attempts to dismantle these protective layers.

One technique – smishing, or phishing via SMS text – is now considered one of the biggest threats to healthcare cybersecurity, according to an August 10 report from the Department of Health and Human Services (HHS).

 MFA phish kits

But smishing isn’t the only way an attacker can bypass multi-factor authentication. Cybercriminals also can employ MFA phish kits, which are malicious software tools, to conduct phishing attacks that specifically target the multi-factor authentication process.

MFA phish kits rely on transparent reverse proxy, which allows bad actors to spy on users’ activity during a browser session. Also known as a “man-in-the-middle” (MitM) attack, cybercriminals obtain login credentials and session cookies, effectively dismantling multi-factor authentication. Once they have the session cookie, they can return to the website again without needing credentials.

In the past, phishing was associated with leading unlucky individuals to a copycat website that would steal users’ information that they input. By using a phish kit, bad actors can access credential information from perfectly legitimate websites. Users can go through the hoops of multi-factor authentication without even knowing they are giving up their data to someone else.

Maintaining the integrity of Multi-Factor Authentication

The HHS recommends healthcare organizations consider additional security measures to maintain a safe, secure, and effective multi-factor authentication system.

Enable Additional Context

Enhance authentication procedures by requiring additional context, such as location and application name. This helps bolster the accuracy of authentication decisions and provides a more comprehensive assessment of user legitimacy.

Adopt Risk-Based Authentication

Implement an authentication approach that evaluates the risk associated with each login attempt. By analyzing factors like device type, IP address, and user behavior, the system can dynamically adjust the authentication requirements based on the perceived level of risk. For example, a user who lives in the U.S. but is trying to log into an application from Russia would need to pass more authentication tests.

Implement FIDO2 Authentication

Integrate FIDO2 (Fast Identity Online) authentication standards, which offer a stronger level of security compared to traditional password-based methods. FIDO2, a passwordless method, employs public key cryptography and hardware-backed security tokens to ensure secure and convenient user authentication across various platforms and devices.

For example, if a user wants to sign into an account, they request authentication. Skipping any need for a password, the authentication request will be sent to their mobile phone where they must prove their identity through Touch ID or Face ID for Apple products and Windows Hello for Androids.

Roaming and portable authenticators, like Hideez Key, offer a secure alternative to smartphones.

Defending Against Biometric Spoofing Attacks

In some cases, a bad actor will try to impersonate an authorized user by recreating biometric information, such as fingerprints or facial photos.

To enhance protection against biometric spoofing attacks, the HHS recommends healthcare organizations consider implementing the following security measures:

• Selfie Authentication: This process requires employees to use their smartphone or webcam to take a selfie and perform a “liveness detection test.”
• Remote Fingerprinting: Using smartphones, individuals can capture and validate multiple fingerprints in a contactless and non-intrusive manner. This is particularly beneficial for the healthcare sector, given the increasing number of cyber threats.
• Voice Authentication: Users can utilize voice recognition software to confirm identity.
• Video Know Your Customer (KYC): This involves real-time video interaction between employees and employers.

Spread Security Awareness around MFA

Promoting awareness of multi-factor authentication (MFA) within an organization involves conducting workshops, leveraging leadership support, and sharing practical examples of its effectiveness. Regular reminders, gamification, and seamless integration into onboarding processes further reinforce the importance of MFA adoption and contribute to a security-conscious culture.

By following the recommended best practices and raising awareness among users about the risks and benefits of MFA, organizations and individuals can strengthen their defenses against these deceitful tactics. As technology evolves, so must healthcare organizations’ strategies for safeguarding sensitive information from malicious actors.