Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Beyond Passwords: Elastic's Proactive Move to Phishing-Resistant MFA

Beyond Passwords: Elastic's Proactive Move to Phishing-Resistant MFA

Recently, Elastic, a platform for search-powered solutions, discussed the advantages of phishing-resistant multi-factor authentication (MFA). This secure authentication method goes beyond traditional MFA, which uses passwords, SMS codes, or biometrics, by employing multiple layers of protection and a cryptographic registration process.

Phishing-resistant MFA dramatically reduces the success of phishing attacks by ensuring authentication requests come only from trusted sources. In a recent blog post, Arsalan Khan, information security analyst II, and Anthony Scarfe, deputy CIO at Elastic, detailed the advantages of this security solution. Phishing-resistant MFA utilizes advanced factors like fingerprints, facial recognition, PINs, and hardware security keys for robust protection.

Elastic's distributed remote-first workforce and reliance on SaaS applications make MFA crucial for asset protection. Understanding the growing complexity of phishing threats, they made the critical decision to transition. While Elastic previously phased out SMS authentication, they still used push notifications, mobile authenticators, and time-based one-time passwords (TOTP). These methods are useful but leave some vulnerability to modern proxy-based attacks, unlike FIDO2 authentication factors.

Previously, users had to spot subtle changes in URLs to identify session-hijacking attempts. With phishing-resistant MFA, Elastic aimed to ease this burden by relying on robust authentication protocols like Fast Identity Online (FIDO).

FIDO works by using unique keys for each user and website. When a user registers, a public key is shared with the site, while a private key remains securely on their device. To log in, the site sends a challenge; the user's device checks if the website's identity matches where the keys were created. This mismatch detection prevents successful authentication, providing strong protection against phishing.

As per a report from KrebsOnSecurity, recent attacks on Apple users highlighted vulnerabilities in MFA systems. Attackers bombarded users with authentication requests, sometimes combined with deceptive calls impersonating Apple Support. There is also a Hacker News conversation, where a user Iloeki reported experiencing a similar issue in either 2021 or 2022, where their Apple devices, and those of their spouse, were overwhelmed with authentication requests. Initially sporadic, these notifications quickly escalated in frequency, causing significant disruption.

The user implemented recovery keys for both accounts, a security measure designed to block unauthorized access attempts, effectively halting the flow of requests. This incident highlights the importance of proactive security measures, particularly in the face of evolving threats like "MFA bombing".

Elastic implemented phishing-resistant MFA across its entire organization in three months. Their emphasis on data played an important role in this achievement. Elastic's InfoSec program leverages the power of its own Elastic solutions. This allowed them to centralize and monitor assets, identities, vulnerabilities, and other key data.

Using cross-cluster search, they gain deep insights across all these data sources. Elastic's centralized data foundation proved invaluable in providing real-time insights into their phishing-resistant MFA rollout. Through a unified dashboard, they could easily monitor key metrics like the number of registered users, their departments, and geographic locations. This also streamlined communication with senior leadership, ensuring they were consistently informed about the progress and impact of the initiative.

Source: Implementing phishing-resistant MFA: Our data-driven approach

Elastic's communications helped drive real-time engagement with their phishing-resistant MFA initiative. They launched the project by promoting TouchID as the primary authenticator, using a popular Drake meme for added appeal. This resonated with users, resulting in a notable increase in engagement within just one hour.

Building on these insights, Elastic enhanced their alerts with additional user context, such as system owner, host, and job title. They then automated the distribution of these detailed alerts directly to relevant users or system owners.

As per this report from Statista, phishing click rates are expected to rise annually across industries. Even with a security-conscious employee base like Elastic's, there's always a risk of someone falling victim. Once Elastic had established robust data insights, effective communication channels, and an efficient alert system, they realized the importance of providing comprehensive support for their end users. Their focus went beyond mere assistance; they actively educated users about the importance and benefits of phishing-resistant MFA.

About the Author

Rate this Article