Why Multi-Factor Authentication Is No Longer Enough

ayshakhatunasha

The current principles of building a multi-factor authentication system do not meet modern challenges and do not always meet the existing needs for ensuring access security.

Enormous efforts and resources are spent on developing and modernizing authentication systems. But all innovations concern authentication methods, not principles.

It is easier to implement a new way to log into a web application than to come up with a new principle, but is it really that effective? Let's look into this issue in more detail.

Authentication is an integral part of the widely known Zero Trust security concept. The goal of the concept is to protect all IT systems of the company located in virtual phone number service the internal and external network from unauthorized access. If you try to implement it in practice, you will inevitably encounter difficulties, because it is multi-factor authentication that will not allow you to fully implement the concept.

The traditional multi-factor authentication system is implemented through agents.

Agents are specialized software that inject an additional factor into the standard authentication process. Such agents are installed on user workstations, Radius servers, and application servers. For most specialists, this approach seems like a logical option, if not for one nuance.

Any company does not stand still. It develops, acquires applications, becomes saturated with systems, so there is always one or more applications that cannot be integrated with the multi-factor authentication system. The reasons may be different - technological or economic. But as a result, part of the corporate network remains unprotected.

The primary authentication provider - the domain controller - always operates in single-factor mode.

The domain controller is the weak link, by accessing which with a login and password, an attacker gains access to a corporate resource.

It has been said many times that user accounts are the main attack vector. They are stolen, hunted, and then used to steal sensitive information. Existing MFA systems, unfortunately, are not able to resist this. Moreover, by creating the illusion of security, they sometimes become a source of penetration themselves.

Just a few months ago, one of the leaders in the multi-factor authentication market caused a hack of a company that manages luxury resorts. The attackers gained access to all users' passwords through the authentication system agent.



It is becoming obvious that the principles underlying the logic of traditional multi-factor authentication systems are, unfortunately, already outdated. The problems mentioned above require a modern solution. The world does not stand still, everything changes. It is necessary to change the approaches to implementing multi-factor authentication.

Indeed has created a new approach, which is implemented in a unique product for the Russian market – Indeed ITDR (Identity Threat Detection and Response).
The solution focuses on a part of the security infrastructure that is often overlooked: domain controllers.

Let's consider the main advantages of the new approach to implementing the authentication system:

Minimize infrastructure changes and reduce the costs of maintaining the MFA system.

In a corporate environment, the domain controller is responsible for managing access to resources. It is the one that issues permissions. The number of domain controllers is significantly smaller than the number of target systems. Now there is no need to support a huge number of authentication agents on workstations and servers. The Indeed ITDR solution is completely agentless.

Ability to detect and counter credential attacks in real time.

By intercepting and redirecting access requests on the domain controller before they are processed by the directory service, we gain a number of advantages over traditional multifactor authentication systems.

Indeed ITDR allows you to detect various types of attacks: from password and login brute force to variations of attacks on the Kerberos protocol and lateral movement. If an attack is detected, the system can block access and notify other security systems (SIEM, SOAR).

Our approach also enables multi-factor authentication for scenarios where it was previously impossible:

Multi-factor authentication for various powershell psexec command line utilities that are often used to manage servers.
Ability to configure multi-factor authentication for shared folders on file storage.
The new approach of Indid Company allows implementing adaptive resource access policies. Including the ability to transparently embed a request for an additional factor from the user depending on the context: from which workstation the request is received, to which resource, which user requests access.

Indeed ITDR has built-in mechanisms for identifying service accounts in its arsenal.

Administrators can confirm the classification of an account as a service account and apply all necessary restrictions to it.