Don’t worry. This is not a business horror story with a supply chain attack and a huge ransom demand at the end, but it still could have been serious. I was sitting at home last night playing a board game with my partner when MS Authenticator buzzed on my phone, presenting the usual three numbers to select. Now at this point I was busy, we were both in a very tense moment of conflict that required concentration and planning, I was feeling tired and had been over stretching myself recently and I very nearly approved without thinking.
It was two things that stopped me. (1) it was my home email address, not work, and (2) there was (in very small writing) the word “China”. It is likely my home Microsoft password had been brute-forced, as although it was unique, it was just not strong enough. The result was a press on “Deny”, a password change, and then we defeated the cardboard threat on the table, so all hopefully ended well – but it might not have.
My home and work email addresses have slight similarities and even with MFA on both accounts I could have accidentally approved a push request if I was in a situation that one was usual, we have periodic reauthentication requirements for example that can present at the least convenient times. No, the lesson here is not one about Multifactor Authentication saving me this time, if you do not have MFA by now you are wide open. It is really about the level of MFA or, better yet, Identity Management you use. A good Identity Manager (such as Entrust’s Identity as a Service) would have had analytical tools that determined I couldn’t be in New Zealand and China at the same time. If my Identity App were protected with a TLS certificate, it would have identified the login attempt was not from one of my devices, and if passwordless with single sign on there would have been no password to brute force attack in the first place for many devices, apps and services. This is not even mentioning the growing use of deepfakes trying to circumvent biometric authentication……
If your customers are using basic MFA at work, users are at risk of click fatigue. Much better that they only need to deal with events that have already passed through an automated “deny filter” prior to reaching the end user so they can spend more time doing productive stuff without security getting in the way.
To talk to us about Identity Management, email sales@bluechipit.co.nz.
