Text message verification flaws in your Windows Active Directory

Specops text messaging

Microsoft has long recommended that customers enable multifactor authentication (MFA) as a way of better protecting Active Directory and Azure AD accounts.

Without MFA, anyone with access to a valid username and password could log into a user’s account. MFA adds at least one additional requirement so that a password alone is not enough to gain access to the user’s account.

Text message identity verification

MFA comes in many different forms, but one of the most common MFA techniques involves texting a one-time use code to a user’s smartphone and then requiring the user to enter that code as a part of the authentication process.

While the use of text messaging goes a long way toward protecting an organization against cyber criminals who attempt to use stolen passwords as a way of gaining access to accounts, text messaging-based MFA has vulnerabilities of its own.

These vulnerabilities stem from the general lack of security associated with text messaging, as evidenced by the recent Twillo hack. This hack occurred when several Twillo employees responded to fraudulent text messages directing them to fake Websites where they were asked to reset their passwords. The result was that those employees’ accounts were compromised.

The bigger problem caused by the Twillo hack was that the encrypted messaging provider Signal uses Twillo’s services for phone number verification. The result was that 1900 Signal user’s accounts were compromised.

While the attackers were unable to gain access to any of those user’s previous Signal communications, there was at least one incident in which a Signal user’s account was re-registered to a different device.

Risk of text message use in multi-factor authentication

The Twillo hack and subsequent attacks against 130 other Twillo customers illustrates some of the dangers associated with malicious text messages. When it comes to MFA however, there are some additional dangers that organizations must consider.

The problem with using text messaging as an MFA mechanism is that it assumes that only the recipient has access to the physical device to which the authentication code is being sent. While the most obvious problem with this assumption is that devices are stollen all the time, a device lock code could conceivably prevent a thief from gaining access to the owner’s text messages.

The bigger problem, however, is that an attacker could use malware or even SIM swapping as a way of redirecting text messages to another device.

Imagine for a moment that an attacker has managed to infect a user’s mobile device with malware and that this malware has revealed the user’s Active Directory username and password to the attacker.

In this case, let’s also assume that the malware is forwarding a copy of all the user’s text messages to the attacker’s device. This would mean that the attacker could initiate the login process using the stolen credentials.

At this point, the Active Directory environment would send a one-time use code to the user’s mobile device. Because the attacker also receives the code, however, they would have everything needed in order to log in as the user.

Putting the “multi” in multi-factor to work

Despite the vulnerabilities associated with text messages, MFA remains an essential tool for keeping accounts secure.

However, organizations must look for ways to work around the vulnerabilities associated with test-based MFA by upgrading from 2FA (two-factor authentication, I.e., credentials and a text message) to multi-factor authentication of two or more verification methods.

Specops does an excellent job of this in its Secure Service Desk product. When a user contacts the service desk requesting a password reset, the user is required to use MFA to prove their identity.

In fact, the technician who is helping the user is physically unable to reset the user’s password until the user’s identity has been positively identified (which protects the organization against one of the most common forms of credential theft).

Although Specops Secure Service Desk does support the use of a code that is sent to the user’s device by way of SMS text message, there are other verification methods that can be used in place of or in conjunction with this code.

For example, an organization might use Duo Security, Okta, PingID, biometrics, or Symantec VIP as an additional authentication service.

Backend view of the verification stage of a helpdesk query in Specops Secure Service Desk.
This example uses Duo Mobile, SMS, and Windows Identity options for verification.

Defaulting to a “robot” (or software, in this case) as opposed to the end-user verification relying on a helpdesk employee takes the human-error element out of the end-user verification process.

Plus, combining text-based verification with additional options makes MFA truly “multi” factor—which mitigates the risk of potential text-hacking threats with a secondary line of defense.

You can test out Specops Secure Service Desk in your own Active Directory with a free trial, anytime.

Sponsored and written by Specops