Uber hack challenges popular login security practices

Cybercriminals' aggressive targeting of smartphones is weakening the crux of many organizations' security procedures: text-based, multifactor authentication (MFA).

The big picture: Experts have long warned that authentication protocols that rely only on sending a code to someone's phone to confirm their identity are easily manipulated.

Driving the news: Uber said earlier this week that its recent security incident was the result of a so-called "MFA fatigue" attack, where hackers spam someone with authentication requests on their phone until they accept one.

• MFA-fatigue attacks also led to major breaches at Okta and Cisco this year.

How it works: MFA is a process that requires people to provide a second form of identification besides a password. A popular example is having a code texted to your phone.

• 41% of respondents said in a survey last year from S&P Global, commissioned by security tool provider Yubico, that their company's IT staff and network administrators used text messages for MFA.
• Hackers can steal MFA codes when they overtake people's phones in SIM-swapping attacks or by sending phishing emails directing people to fake login pages that collect their one-time codes.
• Cybercriminals can even game app-based authenticators, such as Google Authenticator, says Josh Yavor, chief information security officer at Tessian.

Why it matters: Phishing texts are becoming more and more believable as hackers start to invest more time in targeting people's phones.

• And there's little to nothing that can be done to stop hackers from targeting phones and getting better at persuading victims to give into demands, says Angel Grant, vice president of security at F5.

Between the lines: In the absence of a good solution to stop phishing and spam texts, security experts have been pushing organizations to pursue more device-specific solutions.

• One old-school idea is to issue all employees YubiKeys, which are essentially USBs that users tap to their device to verify their identity. However, physical devices are easily lost and cumbersome for employees.

• Another popular idea is transitioning to devices that enable FIDO Alliance industry standards, an encryption model that requires users to log in from a specific device to verify identities.

Yes, but: It can be challenging for companies to implement an entirely new login protocol — especially if they work with legacy software or built internal applications themselves.

• Upgrading legacy software is often impossible, and company-built applications might have been developed by external contractors.

The intrigue: A middle ground still exists for companies that can't make the investment in physical device authentication.

• Push notifications sent through apps from Google, Microsoft and others are relatively easy to transition to if an organization already uses business products from those companies.
• Organizations can also focus on strengthening their internal controls to limit what information is available to employees, so hackers can't have a free-for-all if they gain access.

Sign up for Axios’ cybersecurity newsletter Codebook here.