Redefining multifactor authentication: Why we need passkeys

Persistent threats such as business email compromise (BEC) necessitate an evolution of cybersecurity defenses to protect identities. Transitioning away from a reliance on authenticator apps and IP fencing toward a comprehensive zero-trust framework, incorporating FIDO2 security keys or passkeys, offers a path to more secure and user-friendly authentication experiences. By embracing these technologies, organizations can fortify their defenses against sophisticated cyber threats, ensuring a higher level of security in an increasingly digital world.

We’ve all heard that identity is the new security boundary. This change became a reality when software as a service (SaaS) became mainstream. What does “identity is the new security boundary” mean? The more we authenticate to cloud apps, the less reliant we are on firewalls to protect our identities.

CSOs seem to still be catching up to securing identities in this new modern SaaS world. On February 12, 2024, Microsoft VP Alex Weinert announced only 38% of all authentications to M365 are protected by multifactor authentication (MFA).  

One example of why MFA is important: The single most common security threat is business email compromise (BEC). Hackers have figured out that a phishing email that leads to a wire transfer is the lowest effort with the highest reward. The US Federal Bureau of Investigation (FBI) has stated that BEC is a major threat to the global economy with losses estimated at $50 billion from 2013 to 2022. There were 80 times more losses due to BEC than ransomware in 2022 ($2.7 billion versus $34 million).

During that same time, MFA adoption has increased substantially. So why has MFA not slowed down BEC attacks? I’ve helped dozens of BEC victims over the years and I’ve found most of the attacks were preventable. Here’s how hackers are bypassing MFA today and why the FIDO Alliance’s Passkeys will help.

The vulnerabilities of authenticator apps

Authenticator apps, designed to provide a second layer of security beyond traditional passwords, have been lauded for their simplicity and added security. However, they are not without flaws. One significant issue is MFA fatigue, a phenomenon where users, overwhelmed by frequent authentication requests or simply following a single password spray attack, inadvertently grant access to attackers. Additionally, attacker-in-the-middle (AiTM) techniques such as Evilginx2 exploit the communication between the user and the service, bypassing the newer code-matching experience provided by modern authenticator apps. These vulnerabilities highlight the need for an explanation of the terms and a discussion on why such attacks are challenging to prevent.

The inefficacy of IP fencing

At the surface, IP fencing, the practice of restricting access to services based on the user’s IP address, offers a straightforward security solution. Yet, this method is increasingly impractical and outdated in today’s SaaS world and incompatible with the principles of zero trust such as assume breach.

Zero trust is a security strategy and approach for designing and implementing the following set of security principles:

• Verify explicitly: Always authenticate and authorize based on all available data points.
• Use least privilege access: Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive policies, and data protection.
• Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

This is the core of zero trust. Instead of believing everything behind the corporate firewall is safe, the zero-trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the zero-trust model teaches us to “never trust, always verify.”

So, do not configure an access list to restrict access to someone’s home network, which operates on the assumption that the home network is safe. Assume that the user, the device, and the network have all been compromised. Authenticate the user and the device. Practice microsegmentation. Implement host-based firewalls.

IP fencing may have a role in restricting privileged IT accounts as a fourth factor of authentication (after password, authenticator app, and device) for privileged IT accounts, but it does not scale to regular users because of the advent of privacy features in operating systems like Apple’s iOS (beginning in version 15) make IP fencing unrealistic since all connections are shielded behind Cloudflare. Security operations center (SOC) analysts struggle to identify these connections if the identity system is not designed to authenticate both the user and the device.

When I see IP fencing deployed, I see gaps in policies to make exceptions for BYOD devices. This is because authenticating a BYOD device is not easily achievable without the consent of the employee. Ninety-five percent of organizations permit their employees to use personal devices. It is not possible to have an IP fence tied to a user’s identity when users are permitted to use their personal phones since most users push back and do not permit IT to install corporate mobile device management (MDM) apps on their personal devices. This is the most common complaint I hear from IT departments today.

Attackers can exploit the inevitable gap that gets created when IP fencing is only applied to Windows and macOS and mobile devices are excluded. The hacker can simply update their web browser to emulate a phone, and they are in.

Joe Stocker

This user-agent spoofing erodes the reliability of IP-based controls, which cannot be reliably applied to BYOD mobile devices (without the user consenting to enrolling their phone into MDM, deploying a cert, or installing a VPN). This highlights the necessity of evolving beyond static defense mechanisms and embracing the zero-trust paradigm.

The role of FIDO2 and device compliance

The limitations of MFA and IP fencing underscore the urgency for adopting a zero-trust security framework. FIDO2, with its hardware-based tokens, offers a significant leap in security by providing robust phishing resistance. When combined with device compliance checks through an MDM solution such as Microsoft Intune or VMware Workspace ONE, organizations can ensure that only secure, up-to-date devices gain access to sensitive resources. This strategy not only addresses the shortcomings of previous methods but also aligns with the zero-trust principle that trusts nothing and verifies everything.

Navigating compatibility: The integration of passkeys

While physical FIDO2 security keys (such as Yubikeys) represent a significant advancement in passwordless and phishing-resistant authentication, compatibility issues, particularly on mobile devices, posed challenges to adoption, specifically in Microsoft Enterprise shops. It was too technically challenging for non-technical end users to integrate them with their personal phones. There was no complete solution since authenticator apps are not yet phishing-resistant. Finally, the reliance on physical security keys introduced logistical hurdles and costs.

The innovative concept of passkeys offers a promising solution. Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong, phishing-resistant, and device-bound, eliminating the need for additional hardware. Passkeys simplify the user experience by eliminating the password. Microsoft’s initiative to integrate passkeys into their conditional access authentication features in Microsoft Entra ID as early as March 2024 marks a pivotal step toward simplifying and strengthening authentication practices and follows through on the joint commitment that Apple, Google, and Microsoft made on May 5, 2022, to adopt the passkey standard. Apple made good on their commitment with the integration of Passkeys in iOS 16, and Google did so in the fall of 2023.

The advantages of passkeys

Passkeys stand out for their inherent phishing resistance, as they are tied to both the device and the specific service, mitigating network-based AiTM proxy attacks such as Evilginx2. This shifts the battle to defending against primary refresh token theft on the Windows device.

Passkeys not only enhance security but also improve the user experience by eliminating the need to manage physical tokens. The shift to passkeys represents a cost-effective strategy for organizations, reducing the overhead associated with distributing and replacing physical tokens.