Two-Factor Authentication: A Crucial Layer, But Not a Silver Bullet

In today's digital landscape, protecting access to critical business applications like Salesforce and Workday, which house sensitive data like customer and employee information, is paramount. While Two-Factor Authentication (2FA) has become a widely adopted security measure, it's important to understand that it's not an impregnable shield. Relying solely on 2FA leaves your valuable data vulnerable to increasingly sophisticated cyberattacks.

2FA adds an extra layer of security by requiring a second verification step beyond a username and password. This could be a code sent via SMS, a push notification on your phone, or a security key. However, recent attacks have highlighted the limitations of 2FA.

Evolving Threats: Bypassing 2FA

Cybercriminals are constantly innovating and developing techniques to bypass traditional security measures. A recent report by The Hacker News exposed a campaign where over 100,000 malicious Android apps were deployed with the sole purpose of stealing one-time passcodes (OTPs) generated for 2FA. Victims of the campaign have been detected in 113 countries, with India and Russia topping the list, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey. The starting point of the attack is the installation of a malicious app that a victim is tricked into installing on their device, either through deceptive ads mimicking Google Play Store app listings or any of the 2,600 Telegram bots that serve as the distribution channel by masquerading as legitimate services (e.g., Microsoft Word). Once installed, the app requests permission to access incoming SMS messages, following which it contacts one of the 13 command-and-control (C2) servers to transmit stolen SMS messages.

Another concerning trend is attackers' ability to bypass authentication altogether. In July 2024, a security breach at Google Workspace exposed thousands of accounts. It is a stark reminder that even established platforms with robust security measures are not foolproof. As reported by TechRadar, Google’s cloud-based productivity platform had an authentication weakness that allowed hackers to impersonate other companies and log into third-party services, experts have warned. “The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” Anu Yamunan, director of abuse and safety protections at Google Workspace, told Krebs.

“The vector here is that they would use one email address to try to sign in and a completely different email address to verify a token. Once they were email verified, in some cases, we have seen them access third-party services using Google single sign-on.”

A Multi-Layered Defense

So, what can businesses do to secure their critical applications further? Here are some recommendations:

• Implement Multi-Factor Authentication (MFA): While 2FA typically relies on SMS or codes, MFA offers a wider range of verification methods, such as security keys or biometrics (fingerprint or facial recognition). These methods are much harder to compromise than traditional OTP codes.

• Enforce Strong Password Policies: Encourage using complex, unique passwords for each application. Consider implementing password managers to help users create and store strong passwords securely.

• Minimize the Attack Surface:

  • IP Address Restrictions: To reduce the potential entry points for unauthorized access, limit access to SaaS applications to specific IP addresses, such as those used within the company network.

  • Device Verification: Implement device identity verification to ensure that only approved managed devices can access sensitive applications. This helps prevent unauthorized access even if credentials are compromised.

Minimize Attack Surface with SaaS Gatekeeper

AppStrict's SaaS Gatekeeper fully managed service minimizes your SaaS application's attack surface by adding multiple layers of access controls beyond MFA. Its service forces the use of VPN to access SaaS applications, providing its customers with dedicated static IP addresses to whitelist in their SaaS applications. This drastically reduces the attack surface from the billions of IP addresses that can attempt logins to only a handful of AppStrict's IP addresses. In addition, only authorized devices can connect to the VPN after authentication with digital certificates. Additional security controls, like checks on the device's location and the security hygiene of the device, can also be added.