Recent data reports indicate a troubling rise in adversary-in-the-middle attacks, which have become increasingly sophisticated and prevalent. In 2022 alone, a specific group executed a series of attacks that compromised over 10,000 credentials from 137 organizations. Notably, the attack led to a security breach involving Twilio, a well-known authentication provider.
Among the organizations targeted was Cloudflare, a content delivery network, which successfully fended off the attack without falling victim. This resilience is attributed to Cloudflare’s implementation of multi-factor authentication (MFA) that leverages WebAuthn technology. WebAuthn is a key standard that facilitates the use of passkeys, making systems utilizing it significantly more resistant—if not entirely impervious—to adversary-in-the-middle attacks.
One fundamental aspect of WebAuthn is that the credentials are cryptographically tied to the specific URLs they authenticate. For instance, credentials designed for access to Google accounts would only function strictly on that domain. Consequently, attempts to utilize these credentials on malicious platforms, such as a phishing site, would invariably fail.
Further enhancing the security provided by WebAuthn is its requirement for authentication to occur on or near the user’s device. This design means that the cryptographic connection to the victim’s device prevents adversaries from hijacking the credentials to perpetrate phishing attacks from alternative machines.
Phishing represents one of the most complex security challenges confronting organizations, their workforce, and end users alike. While traditional MFA methods, such as one-time passwords or standard push notifications, introduce hurdles for attackers, the advancement and rising prevalence of proxy-in-the-middle attacks are diminishing their effectiveness. As such, secure authentication methods are imperative.
WebAuthn enables various forms of MFA; a common example is a passkey stored on devices like smartphones, computers, or hardware security tokens such as Yubikeys. Thousands of websites have adopted WebAuthn, and enrolling in this form of MFA is straightforward for users. It is worth noting that while the previous standard, U2F, also prevents adversary-in-the-middle attacks, WebAuthn offers enhanced flexibility and security features.
In considering the tactics and techniques leveraged in these ongoing attacks, the MITRE ATT&CK Matrix reveals potential methods such as initial access through phishing campaigns and persistence through credential theft. As these adversary tactics continue to evolve, organizations must remain vigilant, adopting more robust security solutions to safeguard their digital assets against increasingly sophisticated threats.
