Some of the biggest data breaches in recent memory evaded multi-factor authentication (MFA). Whether it was by attacking how MFA was configured, prompt-bombing users, or attacking sub-contractors, LAPSUS$ and state-sponsored agents found ways to attack weak points in the identity lifecycle, exfiltrate data, and reveal why MFA must be your first line of defense—but not your last.

I talked through each of these attacks during a recent webinar that you can watch on demand. In detailing the anatomy of the attacks, I tried to explain the methods and exploits that threat actors used.

Those explanations raised just as many questions as they answered. Attendees asked some great questions about the relative strengths of different authentication factors, zero trust, passwordless, and more. Here are some of the questions we couldn’t get to during the call and the answers that I would have shared if we didn’t run out of time:

Q: Would you agree with Microsoft that the Windows Hello PIN is more secure than a password for gaining access to your workstation?

A: This is a fascinating question that will be debated for many years to come. Passwords and PINs both fall into the authentication category of “something you know” and are therefore susceptible to phishing attacks. Compared to passwords, PINs are generally shorter in length and use a restricted character set. So from an entropic perspective, PINs are weaker than passwords—i.e., the greater the number of potential choices, the harder a password or PIN will be to brute force.

But that’s only part of the story. Unlike passwords, PINs (or at least PINs as defined by NIST SP800-63) are locally validated. This means that they are never transmitted or stored in a centralized repository. This makes PINs far less likely to be intercepted or stolen in a smash-and-grab attack.

As is often the case, environment, configuration, and user education tend to have a bigger impact on your overall cybersecurity posture than protocols or technologies.

Q: Can you provide a little more detail on offline authentication options to avoid the fail open issue. Examples of architecture or product offerings?

A: A “fail open” system is one that defaults to open when standard operating controls are non-functional. While this is an important safety principle in physical security (e.g., in the event of a fire, all exterior doors should immediately unlock), it is not so great when protecting access to your critical assets.

In the NGO use case, attackers gained access to the asset by preventing the local system from communicating with the cloud-based MFA provider, effectively bypassing the MFA control. This was possible because the identity solution in place defaulted to a “fail open” security posture).

There are a few ways this could have been avoided without locking users out of the system. The first is to employ a hybrid authentication system that can fall back to a local (on-prem) node in the case of an Internet failure. The second is to employ an authentication system that can be validated offline. RSA ID Plus supports both options.

Q: Which is the best IDP (Identity Provider) in your point of view?

A: If I answer anything other than ‘RSA ID Plus’, I’m pretty sure that I will lose my job.

But in all seriousness, there are several things that I would look for. First, does the vendor have a proven track record? Second, is Identity core to their business or just one of many things they do? Third, does the vendor prioritize convenience over security in making design decisions? Fourth, does the solution offer the flexibility to support a broad set of users and use cases, including those hairy legacy apps in the bowels of your datacenter? And finally, when things do go wrong (and they will) does the vendor own up with full transparency or do they obfuscate and blame shift?

Security isn’t easy and threat actors target identity more than any other part of the attack surface. Organizations need IDPs that understand that.

Q: How reliable are the current ZTNA solutions offered by security vendors?

A: Zero Trust Network Access (ZTNA) is a concept based on the principle that trust should never be assumed based solely on a user’s connection to the local intranet—users must be continuously authenticated, they must have permission to access a specific resource, and they must also have a valid reason for doing so.

While there are many “Zero Trust” products on the market today, it is important to note that ZTNA is a conceptual framework and a set of best practices. How you employ the technology, define your policies, and manage your ecosystem will determine your ZTNA posture. Technology can certainly help, but if any vendor tells you that their product will make you ZTNA compliant, go find somebody else.

If you’d like to learn more about Zero Trust, I recommend starting with the seven principles of Zero Trust defined in NIST SP800-207.

Q: Is passwordless based entirely on biometrics? What other methods can be used, how is AI being used in authentication?

A: With options like Apple Face ID becoming nearly ubiquitous for mobile users, biometrics are definitely a popular form of passwordless authentication, but certainly not the only one. FIDO2 is an increasingly common choice for both consumer and enterprise use cases. Contactless methods like QR code, BLE, and NFC are also in use, though to a lesser extent. Increasingly, AI principles such as smart rules, machine learning, and behavioral analytics are being used to further augment identity confidence as invisible factors of authentication that introduce little or no end-user friction. RSA ID Plus supports all these options today.

Q: What is the future of Identity & Access Management?

A: I think these three attacks all demonstrate that “Identity & Access Management” is, if not an outdated term, then maybe an insufficient one.

These attacks underscore that we need to secure identities, not just manage them. For example, provisioning access is not enough: we should start by asking ‘does the user need access?’ If so, for how long? Have we provided them with too much access or just enough? How would we even know? In too many cases, I don’t think admins would know one way or another—or even how to find out.

Threat actors know that there’s more to identity than managing identity. The attacks that I reviewed demonstrate how cybercriminals attack the gaps that IAM doesn’t account for. I think organizations’ understanding of identity needs to expand to account for and secure the full identity lifecycle.

On a more technical level, I think AI will have a big role to play in processing the enormous amounts of authentication, entitlement, and usage data. Having an intelligent platform that can assess fine-grained data quickly and at scale can be a real asset in keeping organizations secure.

Q: How would you compare SecurID with YubiKey?

A: SecurID and YubiKey are each class-leading authenticators in their respective categories. And the good news—RSA ID Plus supports both (among many other authentication options).

Stepping back from vendor specifics, OTP and FIDO authenticators each have their unique benefits. While FIDO is growing in popularity as a secure and convenient option for web-based logins, software-based FIDO options still have limited versatility, hardware devices often require a physical connection, and true support for FIDO beyond the web browser is nearly non-existent. Meanwhile, OTP has the advantage of working just about anywhere—on hardware or on software—without any specialized client software or physical connection required.

When comparing OTP and FIDO, however, the best answer is usually an ‘AND’. Hybrid devices like the RSA DS100 authenticator combine the best of both worlds, offering OTP and FIDO2 in a single form factor to provide maximum flexibility and breadth of support.