Proposing Solutions for the SolarWinds Attackers’ MFA Bypass (Part 2)

In our previous article in this series, we highlighted a very serious threat to networks of all kinds: The hackers presumed to be behind the large-scale breach of SolarWinds’ Orion platform have also been linked to an attack that compromised a multi-factor authentication system. By gaining read access to  the MFA server, it’s possible for a bad actor to generate false cookies and gain authenticated user privileges.

As it stands today, there’s a lack of adequate solutions for this type of attack, which pinpoints the weakest link in an MFA system to bypass what is otherwise a reliable authentication method. In this article, we’ll sketch out proposed solutions that can neutralize this serious threat to networks.

Scope of the solution

The MFA attack from the SolarWinds hackers targeted the authentication cookie that determines whether users should be prompted for a second authentication factor. That same vulnerability could affect the first factor, or any factor. There are several ways to attack a cookie, some of which are easier than getting the server key. For example, Secure the Logs shows a way that phishing and a proxy tool can help attackers falsify a token and gain access.

A strong remote authentication method based on FIDO offers a potential response to all attacks on cookies. Using a weaker method, hackers might simply attack directly rather than going to the encrypted authentication cookie.

What makes our solution secure?

FIDO authentication is based on asymmetric cryptography-based client authentication. This means a user’s device contains a private key that cannot be duplicated. Theoretically, that is the only device in the world that can authenticate the registered user’s identity – making FIDO stronger than one-time passwords, SMS passwords and related methods.

Our solution involves active computing of each device’s unique private key – which means no other device will be able to perform authentication.

The details

Our solution builds on the template of FIDO as it is commonly practiced. Here’s how:

  • We alter FIDO slightly to make it completely transparent to the user. FIDO requires a “user’s local gesture” to establish that the user is present at the endpoint. For the re-authentication feature, we will introduce a mode whereby FIDO authentication requires no user action.
  • Our solution uses a different key pair than the main FIDO keys. This is a second private key that is available in the endpoint as long as it is running, with no user action.
  • The re-authentication only applies to the same endpoint that was part of initial authentication, using FIDO features such as sequence number for verification.

Variants for different environments or conditions

While experts in the FIDO community may have discussed some or all of these contingencies, it’s good to reestablish them following what we’ve seen with the MFA attacks by the SolarWinds hackers:

 

  • The FIDO protocol could use the cookie and the current time, thus saving a step because the server doesn’t have to send the nonce.
  • Replacing the nonce can keep the strength of the protocol the same while also increasing speed — this method could even be used for main authentication.
  • These implementations can be thought of as “active” cookies, because they are actively performing crypto operations.

The ‘techno-logical’ philosophy

We’ve come to our solution through “techno-logical” thinking. That means we’ve found the correct, more secure, solution to a problem if it’s logically correct.

Typical client authentication is about verifying the client, with that client being the user using an endpoint device and an authentication device. Once the client establishes a session with the server, re-authentication occurs to verify that the same endpoint, potentially from the same location, is still participating in the session.

Main authentication is a client authentication and re-authentication is a device authentication.

This solution is here today.  We at WinMagic offer FIDO Eazy, which can use a computer’s TPM or software only. With modifications, FIDO Eazy supports “unattended” device re-authentication. Server-side changes are also necessary — we plan to work closely with the FIDO Alliance and ecosystem partners.

Raising the bar on authentication

FIDO is gaining traction as an MFA and passwordless authentication method. Just as the world is moving away from “username and password” logins, it should also move away from standard authentication cookies. FIDO-derived technologies employing “active” cookies are more secure.

After raising the bar in the disk encryption market for 20 years, WinMagic intends to do the same in passwordless encryption. Working with technologies such as FIDO, we can make cyberspace a safer place, where users don’t need passwords.

To prove it, we’re giving away a free version of FIDO Eazy for personal use. To learn more or share your feedback, contact us at info@winmagic.com.

Previous Post
Can the SolarWinds’ MFA bypass attacks be prevented?
Next Post
Choosing the right architecture to establish and maintain a user session with the “authentic” user.