THE PROBLEM WITH MFA
In response to Dan Goodin’s thoughtful article originally published by Ars Technica, Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA and later posted in Wired, we’d like to discuss the Xiid approach to authentication and how it overcomes the problems associated with MFA.
Mr. Goodin’s assessment of MFA implementations is spot on. MFAs that use biometric factors, a la FIDO2, are superior to other MFA methods. Unfortunately, all MFA implementations, including those using FIDO2, put usernames in the open. This makes MFA a "pseudo-Zero Trust solution”.
"Talented hackers only need your username and 48 hours to dig up an enormous amount of potentially sensitive information about you. And it's not that difficult.”
As our CTO and former ethical hacker, Federico Simonetti (aka DDT), says, "Talented hackers only need your username and 48 hours to dig up an enormous amount of potentially sensitive information about you. And it's not that difficult.”
While we agree with the author that MFA using a biometric factor is the best form of MFA (e.g., FIDO2), we can’t agree with the statement that " any form of MFA is better than no use of MFA. What’s superior to even the best form of MFA is an authentication method that overcomes the problems of MFA by completely removing the reliance on usernames for authentication.
Eliminating the use of credentials entirely yields true Zero Trust.
The Xiid® One-Time Code (XOTC™) authentication is credential-less and does just that. It is a fundamental part of the Zero Knowledge Network (ZKN) architecture.
XOTC authentication employs zero-knowledge proofs working in conjunction with other components of the ZKN architecture such that Xiid codes to authenticate a user do not include a username, passwords, or other factors associated with the user. What's more, if the code from an authentication event may have somehow been intercepted, each subsequent authentication code is 100% different than the previous ones. This makes each authentication event unique, leaving no opportunity for replay and/or predictive attacks.
That means there is no opportunity for “prompt bombing” as with MFA and certainly no tricking IT into resetting the MFA or enrolling a new device.
Xiid is delivering a new framework and platform for preventative secure identity and data access management. Part of ZKN includes FIDO2-based MFA because its use is required in many domains. However, enterprises that want to dramatically increase their security levels leave legacy MFA behind and use XOTC authentication.
