This article has been indexed from The Duo Blog
Security controls can sometimes be double-edged swords. The obvious benefits can be slightly reversed if the control isn’t managed or practiced properly. To illustrate the point, think about placing a defensive wall around a village. In the early days after the wall is constructed, there is probably a night watchman set to walk the perimeter in case of attack.
Perhaps the villagers are even trained to understand that one horn blast means attackers are approaching and two horn blasts means that invaders are at the wall. However, over time, if attacks become rare and the village goes through a few years of peace, it can be easy to discontinue the night watch and the villagers may go on to forget the horn threat signals. When this happens, the once strong wall protection, though still better than no wall, becomes less effective.
We can map this exact example onto modern multi-factor authentication. There is no question that MFA is a core security control, it plays a key role in stopping credential-based attacks which are still a primary cause of breach. MFA was also required specifically in the most recent Cybersecurity Executive Order. However, MFA is now commonplace enough that folks are beginning to treat it as the wall that’s been around the city for years – some have gotten too used to its protection.
What is Second Factor Phishing?
What does it mean when users get “too used to” MFA protection? At Duo, some of our customers are worried about second factor phishing or push phishing. Second factor phishing can occur when a bad actor has stolen a user’s primary credentials (usually a username and password) and then attempts to gain access to that user’s environment.
The bad actor is hoping that, even if there is MFA in place, end users will be overly conditioned to accept the second factor. In other words, the end user is acclimated to “the wall” and may have forgotten to assess the threat signals. In these cases, the end user just hits accept and the attacker is through – effectively bypassing MFA.&
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Leveraging Duo Trust Monitor to Detect Push Phishing