News

Microsoft Adding Phishing Protections to Authenticator App

• By Kurt Mackie
• 10/14/2019

To help organizations defeat security breaches enabled by advanced attack techniques, Microsoft is working on adding anti-phishing capabilities to its Microsoft Authenticator app.

The effort to bolster the Microsoft Authenticator app was briefly mentioned by Alex Weinert, a member of the Microsoft Identity Division security team, at the end of this Oct. 3 blog post. In that post, Weinert described the general futility of most authenticator methods to protect against security breaches, particularly against "channel jacking" and "real-time phishing" attack methods.

"Put simply, ANY authenticator which doesn't cryptographically verify that the login server is who it says it is can be phished," Weinert stated.

Channel Jacking and Real-Time Phishing
Channel jacking involves a "takeover of the communication channel used for the authenticator." Typical communication channels that might get exploited in this way include using e-mail, text messages, push notifications and voice calls to verify a user's identity. They all are potentially subject to channel jacking, Weinert indicated.

Real-time phishing involves the "intercept-and-replay of authentication messages using a machine-in-the-middle" approach. It's carried out by "bringing the user to an attacker controlled 'machine in the middle,'" Weinert explained, adding that "tools like Modlishka are making it easy." 

The only credential types used for authentications that are not subject to channel jacking and real-time phishing attack methods involve the use of smartcards, the use of Microsoft's Windows Hello biometric security service and the use of FIDO-standard-based tokens, Weinert asserted.

Currently the Microsoft Authenticator app is subject to real-time phishing attacks, but not channel jacking. However, Microsoft is working on a "long-term authenticator strategy which hinges on channel independent, verifier impersonation resistant authenticators like Windows Hello and FIDO" for use with the Microsoft Authenticator app," Weinert explained.

It's not clear when such protections will be available in the Microsoft Authenticator app, though.

The phrase, "verifier impersonation resistance," is used in National Institute of Standards and Technology (NIST) document 800-63-3, and describes a goal for key exchanges during the authentication process. It involves using a private key that's "controlled by the claimant" alongside a public key that's "known to the verifier." This sort of verification approach is conceived as deterring man-the-middle impersonation methods.

Multifactor Authentication
Weinert also made a general plea for organizations to use multifactor authentication (MFA), where a secondary means besides a password is used to verify a user's identity. He claimed that MFA is more than 99 percent effective in protecting accounts. However, Microsoft is just seeing MFA used by less than 10 percent of its enterprise customers each month.

"Multi-factor Authentication (MFA) is the least you can do if you are at all serious about protecting your accounts," Weinert said. He urged organizations to "turn on MFA now."

While Weinert did cite a case where MFA failed to protect an account, the failure involved a human factor. The account was breached because a mobile operator's customer support personnel got "tricked into porting the target's SIM to an attacker-controlled phone," he explained.

Microsoft found "a huge increase in phishing mails" as a general trend in 2018, but it was unclear if real-time phishing methods were being used with them, Weinert indicated.

Last week, the Federal Bureau of Investigation published an article on how to ward off phishing and spearphishing attacks as part National Cybersecurity Awareness Month. The article is mostly geared toward increasing the awareness of end users, though.