Why whitelisting MFA from your IP address is a poor security practice.
Introduction:
Multi-Factor Authentication (MFA) was designed to offer a higher level of security than passwords alone. However, like many security safeguards, the addition of one safeguard is often followed by the expectation, by both users and management that something will become easier in exchange. This quid-pro-quo relationship often leads administrators to whitelist IP Addresses, such as the main office, users' homes, and even whitelist certain users from having to use MFA while logging in altogether.
Why it's a bad idea.
Sometimes a business has legacy systems which don't support MFA. In order to allow those systems to remain connected, it may be necessary to create a whitelist. In these situations, it's often possible to isolate those systems so that they have their own dedicated IP address in order to minimize the exposure and make the relevant log events easier to isolate.
Conclusion:
If you have spent time deploying a security solution or are paying a license to utilize it. Get the most out of that solution by not disabling or bypassing any of its features unless you absolutely must. Your users will not thank you; your management will question you; but those who will be the most upset by your actions will be the attackers you were trying to thwart in the first place.
Multi-Factor Authentication (MFA) was designed to offer a higher level of security than passwords alone. However, like many security safeguards, the addition of one safeguard is often followed by the expectation, by both users and management that something will become easier in exchange. This quid-pro-quo relationship often leads administrators to whitelist IP Addresses, such as the main office, users' homes, and even whitelist certain users from having to use MFA while logging in altogether.
Why it's a bad idea.
- Removal of a critical layer of defense and early warning if an attack comes from a whitelisted IP. Removing a working layer of your security defenses, even selectively increases your risk accordingly.
- Since this "bypass" is commonly employed by administrators, attackers are already on the hunt for it.
- What about "Smart MFA" or "Adaptive MFA" – Smart MFA, or similar marketing terms are used to describe MFA that "learns" your user's normal patterns and analyzes the risk of a login event. Unfortunately – this analysis weighs location as one of the biggest variables. If a user logs in from his/her home every day, especially if at about the same time, that MFA will be bypassed. This sounds secure because an attacker trying to sign in from another country, state or even a different PC may trigger the MFA when trying to sign in. However, modern malware uses more than keyloggers to exfiltrate data. Modern malware often uses screenshots to give an attacker a better understanding of the "normal workflow" before they launch their attack. Most malware families also bundle of a form of RAT (Remote Access Trojan) or a way for the attacker to connect to the machine without user interaction. A RAT would allow an attacker to access the protected online accounts, without an MFA prompts, and never trigger any suspicious alerts.
- Layers, Layers and more Layers – security is all about layers. You've heard it before, but how true is it? What used to be called layered security is now referred to more aptly as "Defense in Depth". This term describes the concept more accurately because not all layers are created equal and layers may provide a false sense of security. Having more layers does not automatically make you more secure. Unless each layer provides an appropriate degree of protection and early warning than it doesn't fulfill its mission. During security assessments we often find that only one or two layers of a security policy are effective in deterring attackers. So, what about the other layers? Unfortunately, they mostly serve to aggravate end users and use up your security budget. Layered security works well only when each layer is specifically tailored to the business and their applicable risk. Each layer should work to support the other layers, as well as to provide a failsafe if the other layer is compromised. For example, strong passwords and MFA are often considered to be competing security measures by users, who have heard the term "passwordless authentication" and want in. However, they are complements of one another, if a strong password is captured by attackers, MFA provides an early warning and a safety net. Similarly, if the MFA factor is lost, such as a Yubikey or RSA token, a strong password provides protection for the accounts while the key is disabled.
Sometimes a business has legacy systems which don't support MFA. In order to allow those systems to remain connected, it may be necessary to create a whitelist. In these situations, it's often possible to isolate those systems so that they have their own dedicated IP address in order to minimize the exposure and make the relevant log events easier to isolate.
Conclusion:
If you have spent time deploying a security solution or are paying a license to utilize it. Get the most out of that solution by not disabling or bypassing any of its features unless you absolutely must. Your users will not thank you; your management will question you; but those who will be the most upset by your actions will be the attackers you were trying to thwart in the first place.
