Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Stronger Multi-Factor Authentication With Certificates

It’s widely held knowledge that using a single factor for authentication to wireless networks is less than secure and easily exploited by hackers. According to IBM’s X-Force Threat Intelligence Index, 35% of exploitation activity involves Man-in-the-Middle Attacks which easily bypass single factor authentication.

Each additional layer of protection adds significant difficulty to any potential data thief looking to infiltrate a secure wireless network. Read here how an American startup upgraded from credential-based authentication to certificates to provide much stronger network security.

But MFA is not impenetrable, and multiple cases have come out that highlight some of the weaknesses of this security measure. The exploits primarily arise from the continued use of credentials within the MFA process. Time and again, its been shown that credentials are highly susceptible to hacking attacks and are inferior to certificates for authentication.

MFA Has Vulnerabilities

To effectively implement MFA, your authentication method must include at least 2 of the following: something you know, something you have, or something you are. An example of each of these would be a password, a smart card, or biometrics, respectively. By using any combination of these, your authentication process is far more difficult to penetrate and will effectively thwart an attacker 99% of the time.

The exceptions when MFA is circumvented most often occur when the authentication requirements are not particularly secure on their own. A common theme among successful MFA hacks them tends to be an organization’s reliance on their users to be the backbone of the cybersecurity system. Hackers will use a combination of social engineering attacks, Man-In-The-Middle attacks, and exploitation of weak passwords to gain authentication access to a secure network.

https://www.nice.com/engage/blog/wp-content/uploads/2019/11/Types-of-Biometrics-Blog-682X325.jpg

People are the Weakest Link in Network Security

Many successful hacking attacks occur due to an overreliance on people to uphold strict security standards. The average network user is not well-versed in network security best practices, especially when it comes to credential-based authentication. Some recurring issues with credentials is the tendency to use weak passwords, reuse passwords across multiple accounts, and allowing other people to use their password, which increases the odds of it being stolen.

In addition to weak credentials, social engineering attacks have proven to be frighteningly effective. This type of attack does not use technical methods to steal information from a system or device, but rather is a manipulation tactic to get information from a person. Some common forms of social engineering are phishing and manipulation of a person to get authentication information. These attacks are designed to play into a person’s fear, sympathy, or excitement and trick them into divulging information that could compromise the network.

Hackers Bypass MFA

A Chinese government linked hacking group known as APT 20 demonstrated a unique and effective method to foil MFA and gain unauthorized access to highly secure networks. As an initial point of entry, they found vulnerabilities in web servers and installed web shells, which is a script used to maintain and escalate access within a compromised system. With a web shell in place, they began to spread throughout internal systems

The primary goal of the web shell was to locate legit credentials. They searched for dumped passwords and administrator accounts, but primarily wanted to obtain VPN credentials. With VPN credentials, APT20 would increase their level of access to more secure areas of infrastructure and VPN accounts provided more stable backdoors for legitimate access.

The next step was to steal an RSA SecureID Software Token. This type of token is used to generate valid, one-time codes for MFA purposes. It was believed that this wasn’t possible because SecureID tokens require physical connection to the device to generate the code, similar to many smart cards. Without a device, the system generates an error; so how did APT20 get around this?

https://cdn.arstechnica.net/wp-content/uploads/2012/06/securid-800.jpg

Under normal circumstances, the token is generated for the specific system: a system specific value. That specific value is only confirmed when importing the SecurID Token Seed, which is not related to the seed used to generate MFA tokens. APT20 used the web shell to patch the check that verifies whether the imported token was generated for the specific system.

With a patch in place, they were able to bypass the system specific value check and use the RSA SecureID Software Token. By patching the single instruction, they were able to remotely connect to the network and gain full, unrestricted secure access to the wireless network.

Another, more streamlined method used to bypass MFA is a clever phishing attack that tricks the user into giving the malicious actors permission to bypass MFA on Office 365. The attacker would utilize the OAuth2 framework (a standard for users to grant information access to applications) and OpenID Connect (OIDC, an open standard authentication protocol) to disguise a rogue application as a SharePoint link.

The attacker would share the SharePoint link in an attempt to trick the user into granting permissions to the rogue application. Once they’ve obtained access permissions, the bad actor can bypass MFA without even needing to steal credentials.

Weak OS Can Compromise MFA

The security of MFA can be compromised if the applications it protects are supported by compromised OS. One such situation involved the Google Authenticator app creating a weakness in the authentication process.

Similar to a One-Time Passcode (OTP), Google Authenticator generates an OTP-like code, but the code is generated on the user’s device and never travels over the air. Seems like a foolproof system to avoid over-the-air theft, right?

A banking trojan malware called Cerberus has been detected that enables remote connection to an infected device. The hacker then has the ability to control the content of the interface and send it to a controlled server. The hacker can use the owner’s banking credentials to access the online banking account, then use the stolen Authenticator passcode to bypass MFA.

While initially a trojan through the banking application, there’s no reason Cerberus cannot spread to other applications. If the device is compromised, any Authenticator-based MFA has the potential to be accessed. This includes email inboxes, social media accounts, sensitive files, and countless others.

Certificates Are Key To Secure MFA

One of the most effective methods for minimizing the risk of your authentication process being compromised is to seek out solutions that limit the involvement of the user in the process. Whenever a cybersecurity system relies on people to uphold security standards, it increases the avenues in which it can be compromised. A key component is to eliminate the use of credential-based authentication and switch to certificate-based authentication.

Utilizing an onboarding software to distribute certificates to users’ devices allows them to self-configure while guaranteeing that every device is correctly configured. SecureW2’s JoinNow software can be completed in a few simple steps, after which the user is able to automatically authenticate to the secure network whenever they are in range. Credentials require manual entry while certificates authenticate automatically with no human interaction.

Join Us

Additionally, credential-based networks require a password expiration policy to try and combat the use of weak passwords. After a set period of time, every user device is disconnected from the network and must be reconnected with a new, unique password. This often encourages the use of nearly identical passwords, or weak passwords, because frequent updates to multiple credential sets can be difficult to keep track of.

With certificates, once the user configures the first time, they are securely connected to the network for the life of the certificate. This is predetermined by the organization, but many choose to set certificate expiration years into the future.

Some organizations may stick with credentials because they integrate with nearly all application authentication processes while certificates can be limited. Luckily, this barrier is easily surmountable with SecureW2. We provide integration with Okta identity management to expand certificates’ connection capabilities.

SecureW2 can authenticate a user’s identity in Okta using PIV/certificate authentication. By combining Okta’s identity context with certificates, you can authenticate to a slew of applications and benefit from the strength of MFA and certificate authentication.

Gain Identity Context Of Your Network

The key to certificate authentication that thwarts the ability to circumvent MFA is public-private key encryption that protects the process. To authenticate a certificate, you need the private key, which is only known if you have a certificate signed by the issuing certificate authority. This makes it impossible for anyone outside the organization to authenticate to the network. The key cannot be stolen and reused due to its advanced encryption. Furthermore, it’s highly recommended to configure server certificate validation to ensure that the device only connects to the correct RADIUS Server and blocks the possibility of a Man-In-The-Middle attack.

Beyond the streamlined user experience that certificates boast, they are also tied to the identity of the user and device. Credentials are something the user knows and can be given to another person for access. This leads to identity issues because you cannot be certain that the credentials are always being used by the identified user.

With SecureW2, certificates cannot be removed from the device or transferred to another person, so when a particular user is confirmed accessing the network, they have been accurately identified.

Essentially, once a user’s device is equipped with a certificate, it cannot be stolen or transferred through a social engineering attack or over-the-air attack to be used by a data thief.


To improve the overall security of your network, MFA is an excellent authentication paradigm, but it’s important to ensure that each of the multiple factors are secure methods on their own. If a hacker is able to overcome one method, they may have the ingenuity or social engineering skills to gather the remaining information.

The success of manipulation tactics truly highlights the need to remove the human element from cybersecurity and automate your security practices with certificate authentication to have a truly secure network. Check out SecureW2’s pricing page to see how our MFA solutions can fit your authentication security needs.

 

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Stronger Multi-Factor Authentication With Certificates