Each week, attackers manage to compromise single sign-on (SSO) and bypass multi-factor authentication (MFA) security controls with relative ease. Companies are worried, and rightly so. However, it is possible to change the rules of engagement.

Phishing and social engineering, usually used in tandem, are the preferred methods used by attackers to compromise user credentials. One of the most recent, high-profile examples of social engineering occurred this August at Cisco, where the attacker made phone calls to bypass MFA.

A blog by Cisco’s threat intelligence team stated that the initial access to the corporate VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The blog noted, “After obtaining the user’s credentials, the attacker attempted to bypass MFA using a variety of techniques, including voice phishing (aka "vishing") and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving.”

Also in August, email marketing company Mailchimp suffered a data breach following an incident involving phishing and social engineering tactics that targeted cryptocurrency and blockchain companies using the Mailchimp platform.

Last year, social engineering was deployed to break into Robinhood, a popular app-based trading platform for non-professional investors. The attack compromised millions of names and email addresses.

That breach had a number of similarities to the Twitter hack of 2020. Both breaches involved the use of social engineering to convince an employee to provide access to customer service systems.

Despite the frequency and success of phishing and social engineering attacks on MFA and SSO, many companies fail to be proactive in preventing such attacks or at least minimizing their effectiveness. One simple step is employee education.

Poor end-user training is a common failing. Many companies often fail to educate employees about the legitimate ways they can expect to be contacted by support personnel—so they can identify fraudulent attempts to obtain sensitive information.

The same applies to educating users on the risks associated with errant push requests from apps on their phones. Faced with a sometimes-overwhelming number of requests, it’s easy for users to answer “yes”—thereby instantly opening the door for attackers.

Despite the sophisticated security requirements of MFA and SSO, some companies also do not follow proper password hygiene by allowing weak passwords, not rotating them often enough, and not enforcing MFA for everything.

Finally, many companies still do not implement identity-based authentication that performs identity verification at login rather than solely trusting an authentication mechanism like a password, one-time PIN, etc.

In addition to implementing proper end-user training and hygiene guidelines mentioned above, here are three best practices companies should consider to protect SSO and MFA from account compromise.

Standards-Based Identity Proofing

The NIST-800-63-3 standard—created by the US government—defines the criteria for enrolling an identity and using it securely. This enables users to enter their physical identity documents—such as a driver’s license or passport—with a high degree of security and accuracy.

By following the standard, users verify who they are without usernames or passwords. The key here is verified biometrics. The user becomes or replaces the password and has a unique login. This login uses a person’s identity-proofed biometrics to verify they are who they say they are and log them in to their account.

FIDO2 Passwordless

Devised by Fast Identity Online Alliance (FIDO), the FIDO2 standard enables users to store their biometrics behind a cryptographically secured public-private key pair. The private key is stored in the Trusted Platform Module or Secure Enclave of the device. That key (what you have) combined with a biometric, such as TouchID, FaceID, or LiveID (what you are), becomes the two factors needed to allow a user into an online service.

Identity-Based Authentication (IBA)

Two factors are critical for IBA to succeed. First, the biometric must be sophisticated and non-hackable. A “live selfie” is essential, as it uses technology that detects the depth of field, specific facial movements, and telltale signs of photo and video manipulation. Equally essential is a technology that provides application-specific authentication.

Second, the storage of biometrics—a high-value target for hackers—should be distributed and accessed via a cryptographic private key. This eliminates centralized “honeypots” and centralized administrative access to user Personally Identifiable Information (PII) that often serves as a target by hackers.