In this episode, the Adam and Daniel welcome Al Lakhani a cybersecurity expert, to discuss the revolutionary MFA 2.0 technology. Al explains how traditional MFA (Multifactor Authentication) methods, known as MFA 1.0, are vulnerable to credential phishing attacks, highlighting recent breaches by the Shiny Hunters group. He introduces MFA 2.0, which utilises public key cryptography to eliminate passwords and ensure device-based identity verification, preventing attacks effectively. The conversation delves into the limitations of current MFA methods, the advantages of MFA 2.0, and the importance of moving from detection to prevention in cybersecurity. Al also discusses the educational challenges in the industry and the potential for MFA 2.0 to simplify IT departments’ roles by eliminating credential management issues. Despite the complexity and market resistance, Al believes MFA 2.0 offers a transformative approach to cybersecurity. The episode wraps up with a call to action for MSPs interested in trailing MFA 2.0 and ensuring robust security for their clients.
00:00 Introduction and Greetings
00:25 The Problem with MFA 1.0
01:19 Introducing MFA 2.0
03:47 How MFA 2.0 Works
07:54 Challenges and Solutions
14:35 Market Adoption and Competitors
26:54 Conclusion and Next Steps
Listen on Spotify or Apple Podcasts
Connect with Al Lakhani on LinkedIn by clicking here – https://www.linkedin.com/in/getidee/
Connect with Daniel Welling on LinkedIn by clicking here – https://www.linkedin.com/in/danielwelling/
Connect with Adam Morris on LinkedIn by clicking here – https://www.linkedin.com/in/adamcmorris/
Visit The MSP Finance Team website, simply click here –https://www.mspfinanceteam.com/
MSP Glossary: MSP Finance Glossary Explained | MSP Finance Team
We look forward to catching up with you on the next one. Stay tuned!
Transcript
Dan: Al, welcome to the show.
Al: Thank you. Good evening. to meet you guys.
Dan: Good morning. Good evening. And Goodnight, you are, you’re currently in, Munich, I believe.
Al: That’s correct, Germany.
Dan: you’re an hour ahead. So, so yes. great to have you with us today. And, it was really interesting to, to meet you and some of your colleagues at the recent Brigantia partner day in New York. And, we arranged this following, following that meeting, re really to satisfy my interest in what you were doing, MFA 2.0. more.
Al: Sure. so, you know, we created MFA 2.0 because current MFA, call it MFA 1.0. Doesn’t seem to stop any credential phishing attacks, I think you probably have heard it in the news over the last 30 days, there have been 30 major breaches, this group called Shiny Hunters, all Salesforce. So they’re, these attackers are very lazy.
It’s like we are just gonna attach to Salesforce. So they haven’t done this for about 30 companies and. So this, and all of these companies have this old version of MFA, what we decided to do was to create. The next generation of MFA few years ago, we are trying to educate the market and thinking, look, there is the old version that doesn’t protect you, but the new version will, and it’ll prevent all these attacks. that’s why I think we met when I was at the Brigantia partner event, a few weeks ago. so we are in this, convincing people that MFA 2.0 is what they need.
Dan: and MFA 1.0. forgive my ignorance, but this is. Microsoft Authenticator and other authenticator apps are available. so, so what’s the pro? why are they so easy to breach?
Al: That’s a great question. So you about all MFA solutions today, all the legacy ones, you need a second device. a smartphone, right? You have to up the six digit code from your Microsoft Authenticator or Google Authenticator app, or you receive a SMS or you receive a push. The fundamental problem is that the, that phone doesn’t know it is next to your pc, so that is how a attackers get between your PC and your phone. And so are thinking you’re approving something, but you’re doing it on the wrong side. And that is the problem with MFA 1.0.
Dan: and this would be session hijacking, is that correct?
Al: Correct. So what ends up happening is you receive a phishing email. It looks legit. we in fact purchased a Microsoft online.com domain where instead of online, the L is replaced with a one. So it looks pretty legit. And you know how users are, they’re tired. They’re in a rush, they’re hangry. They click on links, and then they just type in their passwords and approve their push. And that’s how these attackers steal the credentials, steal the session tokens, and then they can log in without ever authenticating. And they can add other authenticators. So they take over the account, add a new YubiKey to it, take over the account, add a new Microsoft authentic authenticator to it, and they have full access.
Dan: Right, and presumably then MFA 2.0 somehow resolves that.
Al: Absolutely. And actually not, I love to say I’m not sending rockets to Mars. we have done something very simple. What we have done is we have said, rather than use passwords, let us use something that was actually invented by three British cryptographers, it’s called public key cryptography.
It was actually invented. In 1972 the GCHQ, because at the height of Cold War, UK and the US wanted to communicate with their spies around the world, and they wanted to make sure that this communication was secure. And so they created this public key cryptography where the two sides don’t have to meet to be able to exchange confidential information. And so we use this technique. And got rid of passwords. And then this technique, what it allows you to do is it allows you to tie your identity to a device. So that’s why I say we are not sending rockets to Mars. We are just saying that, for example, Dan, you have three devices, the identity is right to those three devices, which means all other devices, if Dan tries to log in, can’t be Dan.
Al: So we have kind of just flipped it, and that prevents all credential phishing and MFA bypass attacks.
Dan: And presumably also not that, not that. It wouldn’t totally remove. But what about things like, conditional access, sort of based on geographic boundaries? If I’ve got my device with me, I can log in anywhere in the world, right? I do
Al: Correct.
Dan: conditional access for that purpose anymore for.
Al: Absolutely. And this is what Adam and I were talking about before you joined. You know, if you think about it started with passwords. And passwords were never meant to be a security feature. They were meant to do timesharing at MIT back in the sixties. When you had the punch cards, and so we put on so many Band-Aids, and I think conditional access is an excellent Band-Aid. And the companies that do this, I’ll pick on Microsoft. There are several companies that do this, not just Microsoft, but I’ll pick on Microsoft. They do it because they’re like, I don’t trust that this authentication is legit. So now I’m gonna limit it by IP address, by geography, by what? device you’re using. Behavioural. Some companies also do this behaviour, how you are typing and things like that. And the way we look at it is, well, if I know your identity cannot be stolen, cannot be extracted from these three devices, and these devices are trusted. Set up using zero trust methodology, then I don’t have to worry about all the other billions of devices in the world.
They’re all wrong automatically. And so conditional access, I think is a Band-Aid. And plus, not to mention, the user experience is horrible. Like you’re about to log in and then it says, Nope, sorry. have sent another push on your phone. Please approve. Or, you know, please, reach out to your admin. Your account is blocked.
Dan: Mm-hmm.
Al: These are, I mean, from a user’s perspective, the UX is horrible.
Dan: Yeah.
Al: what we’re fixing.
Dan: And, yeah, I have, I have been on a trip before and, realized I could actually lock in and, and, thankfully I had A-A-A-A-A backdoor method. but, yeah, otherwise, otherwise I’d locked myself out. or would’ve done for that trip. and okay, so, so that sounds great, but what happens if someone takes my device? We are back
Al: So,
Dan: we’re back to that risk now, aren’t we? Yeah.
Al: so if somebody steals your device, they still need to know how to unlock it.
Dan: Okay.
Al: I’m sure you’re familiar with, you know, for iPhone or Android or whatever, you have this, setup where if you, after the first three wrong tries, you had to wait for five minutes and after the fourth 15 minutes and after 10, it wipes the device. So first of all, you can’t, unlike passwords, there is a limit to how many times you can be wrong.
Dan: Mm-hmm.
Al: But the password, you can be wrong as many times as you want. Depending on what you’re using. the second thing is, if I steal your password right now, you have no idea it’s stolen. But if I steal your device, you’ll be like, wait, where’s my phone? then you can deactivated. So
Dan: Right.
Al: the way to think of this is the vast majority, like 99.99, nine 9% of all attacks in the world, they are executed remotely. And obviously if you’re pissed off the, I don’t know, Russian Mafia, they want to fly to you and steal your laptop. Well, I think they’ll put, just put a gun to your head and you won’t lock it. So you know, we don’t solve that attack vector. If somebody’s really pissed off at you, get wants to get on a plane and fly to Bath and ask you to unlock, then sorry we can’t help you. But any remote attack. We stop.
Dan: Yep. and by the way, con conditional access wouldn’t help you there either because you’d be in bath. So that would be allowed. and, yeah. Okay. Right. and I guess with all of these tactics techniques, they all have situations where they can be. They can be bypassed, but it’s about minimizing the probability, and more than the possibility, in to such a minimal level that actually it’s unlikely. And, okay. So that sounds really interesting. so
Al: add one thing.
Dan: please.
Al: the reason why these attacks are successful is because businesses rely on fishable factors. So you’re registering, you have to use a SMS to set up your device. Well, that’s fishable. If you’re adding another device, you receive a push to approve, well, that’s fishable if you’re using a password from a password manager, is fishable. So what we have done is two things We have said we will not use any fishable factors in our. Registration, authentication, authorization, adding a device flows just will not happen. There is no ability for anybody to do that. And then the second thing we do is we use what’s called transitive trust, which is a zero trust concept. So the chain of trust is never broken. And with those two things, you are able to create what we call phishing proof. I’m sure you’ve heard of phishing resistant. So we are the only ones that use the term phishing proof because have customers that tell us for the last three years that they’ve been using us, they have never been phished. And that is because of our architecture is such that we prevent all credential phishing attacks, password based attacks and all MFA bypass attacks and we have no AI in our company. use ai, we don’t do detection. We focus on prevention.
Dan: Okay. And pre presumably then we get onto the commercials in a moment. But, if, if I can’t be phished, then I don’t need security awareness training now. Mm-hmm.
Al: I mean, who doesn’t like good compliance training? I mean, if you step back. I joke about this all the time. You know, antivirus industry was created because Microsoft I’m gonna create a crappy os. If you think about authentication, like to scan emails, well, you scan emails so they don’t get phishing links sent to you. Right? Well, if you can’t steal your credentials, then do you need to scan emails that are for credential phishing? conditional access. I mean, Microsoft and many companies do a great job of saying, I’ll give you the basic, but if you want conditional access, you need a P two plan. you need Intune suite.
You need intra suite. so I think there’s a conspiracy in the industry. It’s if, especially if you go to InfoSec, right? Everybody wants all these bells and whistles to make you feel safe because we are not solving the core fundamental problem. there’s only three ways you can attack a company, credentials, exploit a vulnerability, have a backdoor. Backdoor is easy. Don’t use products from untrusted So you’re left at two. Did you know that 90% of all the time IT departments spent MSP spent on credentials, resetting passwords, setting up MFAI got a new phone, I got a transfer. The MFA, all of those things. 98% of all attacks are credentialed phishing attacks.
So imagine if you took that away, your IT team time on vulnerability fixing, which is patch management and mitigation of zero day vulnerabilities. like imagine sim, how much simplified the IT department’s job would be and what would InfoSec look like.
Dan: And some, sometimes when it’s that, when it’s that, transformational, it’s then, the turkeys voting for Christmas. but, if we’re free in time to, to do better, better things more thoroughly, Absolutely. there’s a good, there’s a good story to, to tell there. So I guess, that then leads me to my next question, which is, why is everyone not doing this already?
what resistance are you finding going out to the market? what’s your experience been?
Al: So I think it’s education. will pick on Microsoft again because they mentioned this two years ago and then four years ago they said this again. It’s like, you know, if you have MFA, it prevents 99% of attacks and that is just not true. the study that they did was it prevents 99% of attacks when those attacks previously were password based attacks. So adding MFA stops the password based attacks, which is true. And, you know, MFA version 1.0. The push the Q, you know, O-T-P-S-M-S. It was built, it was created to prevent password based attacks. So that is completely true, but I think what people have read is, well, it protected 99% of the attacks all deploy MFA, and then I’m safe. And I don’t know if you got a chance to see it at the CHE event on I on stage I did a MFA bypass attack on Microsoft Authenticator. So, and I’ve been doing this attack every year at InfoSec for the last three years. And two years ago I was right next to the Microsoft booth. And by the way, I pick on Microsoft.
But this is a problem with Okta, with Google Authenticator, with Duo, all of them. the fundamental problem. If this device. Doesn’t talk locally to your pc, there is some adversity in the middle attack possible. that’s, I think the simple point, which is if you think about the industry, there is a lot of misinformation in it. And so what we are doing is we are saying, and this is also the reason why we work with Brigantia and with our channel first company, because. This kind of education has to be done mass. you can’t do it a company at a time. And, but we, you know, we, when we pitch, or our partners pitch, of the companies go for A POC, which is a ridiculously high nu, nu high conversion number. And I think. It is changing. It’s slowly changing. and it will change. I mean, in the last 30 days, we have had so many, I, I can give you the names. These are, see here they are. I mean, these are the names of, you know, large companies. Let’s see, Chanel, Gucci, Balenciaga, Alexander McQueen. Then we got Cisco Systems. I mentioned Qantas, Pandora, like Allianz, like these are not, you know, companies that don’t have cybersecurity experts. So it’s, I think people are starting to ask would, what the heck am I doing?
Dan: Yeah. Yeah. because we can spend all this money and still be breached. it is it an un? Is it unwinnable? yeah.
Al: And I think that is actually a really good point, Dan, which is, it is vulnerable. And I think when cybersecurity experts go to the CFO and say, gimme more money, if you can’t stop these attacks, if you cannot make the company safe, then why would they give you more money at some point in time they’re gonna say, well, okay, you’re reducing the risk, but we are still getting breaches. And the industry needs to start thinking about prevention. And that was also one of the points that I made in our email where I said that I think if you protect existing customers using solutions like MFA 2.0, you actually prevent churn. And it’s a clear, strong competitive advantage for MSPs saying, look, am giving you peace of mind. account cannot be taken over. Which is a very powerful message. than saying, well, try to not have a breach.
Adam: Al, could you, this is fascinating and I’m trying to let it sink in and my brain is kind of like faring away, trying to make sense of this. I’m interested in the kind of, sort of demographics of this. So is it just your business that’s currently pushing this tech? Are there others pushing the same thing right now?
Al: So there are, we have lots of competitors. The MFA market is full of companies that are providing solutions, I would break that up into three parts. There is Microsoft Authenticator, you know, it is the 900 pound gorilla. So that is one group or one. One, one, piece of the pie. The other piece of the pie is all of these other solutions that have a push-based, approach.
So Duo Okta Verify, you name it. And then the third group are the emerging ones such as ourselves are saying this whole thing is broken. you know, we built this. a blank sheet of paper. We didn’t have any, what do you call, legacy or baggage that we had to deal with, tech debt, I believe is what we call it. and so that, so there are a few companies that do this, so we do it. That’s another company called Beyond Identity that does a great job. So there is quite a few companies, or at least well, so far, two companies that I know of that are really focused on MFA 2.0 and the big difference between us and these other companies that are talking about MFA 2.0 or selling MFA 2.0 is we don’t believe that you shouldn’t have to install any software or hardware or any device to use MFA 2.0. Versus companies like Beyond Identity and others, they’re saying, you must install an agent. You must install software. And we don’t believe in that. Given what happened with CrowdStrike two years ago or last year it was right. CrowdStrike, the big meltdown was last year. So. We have to think of a single point of failure as a core concept. so there are companies that are doing this, so Microsoft and the duos and the Okta’s of the world. They’re saying, we are going to use Microsoft copilot security copilot. We are gonna do analytics, and we are gonna do detection. That’s kind of the world that they are in. And detection can never be a hundred percent. So we don’t believe in that approach.
Adam: So and so fundamentally, this is a difference of opinion. Yeah.
Al: So.
yes. Yeah, you can. You can definitely say
Microsoft have a few people that probably know what they’re talking about. and you have a few people that know what you’re talking about. Microsoft has lot, many
Adam: that know they’re
yeah. Exactly. exactly. So this is clearly complicated and not as, and not necessarily as simple as you make out.
and so one could argue that, at surface level. There is, there’s a lot of, there’s a lot of detail details that go through here and presumably if we had a Microsoft person in the room, they would presumably voice their own opinions and their own thoughts about this tech. So, so I guess I, I’m just interested in sort of trying to understand the landscape because it sounds, like this could be a disrupt, something completely disruptive, right?
Which is, I guess, where you are positioning your technology. What’s interesting to me, hearing you, you speak is, well, you know, wow, this does absolutely sound amazing. why haven’t I heard about it before? you know, why aren’t there more people doing it? and, but of course, you know, maybe people have said that to Tesla back in 2011, you know, when they were creating their first cars.
So, so, yeah, no.
Al: Can I add one thing to that? you’re absolutely right. It is a different approach and the approach and as MSPs that are listening to this. They have to decide do they want a prevention approach or a detection approach, because we will never do detection. given how much companies have spent on ai, they will never go to prevention. I think it’s, I don’t know, electric car versus gasoline car, kind of a, you know, there are two different approaches.
Adam: Yeah. and yet, BMW back in. 2016, 17 when Tesla’s model three was being released, didn’t have an electric equivalent, so they were still pushing their three series saying You have to wait six months for your Tesla, but ours is available now. But of course, everybody knew that BMW will building a, an electrical capability because it was obvious that’s the direction of travel.
You know, so, well, I’m not sure, I’m not sure what to take from this, but yeah, it’s a fascinating, it’s a fascinating, journey. but surely, ultimately this is gonna be based on what the consumer wants, right? And if the consumer wants to not be hacked in the first place, rather than being hacked and being detected, surely that’s gonna
Al: I think you’re absolutely
Adam: drive the outcome.
Al: I think you’re absolutely right. let me maybe put it this way. If Microsoft took their top 10, 50, a hundred, I don’t know how many engineers they need and said, do what Id does, we would definitely be out of a job. There is no doubt about it. Like I said, we are not sending rockets to
Adam: Mm-hmm.
Al: but I don’t believe Microsoft will do that.
I don’t believe Duo will do that they have tech, debt tech debt. And what I mean by that is their philosophy is. Centralization. Our philosophy is de decentralization. Their philosophy is detection. Our philosophy is prevention. give you a very simple example. You guys know pass keys, right? So it’s a wonderful standard and about two years ago or three years ago, one of the update allowed you to store your pass keys and your password manager. And I was very vocal about this at that time, and I still am. And I’m saying no. keys should be hardware bound. That’s the whole point of public key cryptography. But they allow it because one password, pushed for it, for Apple, pushed for it. And I just think it is wrong. It is just fundamentally wrong. But that’s how they think, right? That’s how Microsoft thinks. You know, I have an Entra, active directory was centralized, so they built Entra. Well, that is centralized. So now we are going to create pasties and we are gonna store them in Microsoft Authenticator, which is centralized. So, you know, that’s the mentality. And I think as you rightfully put it, and I love the electric car analogy because I’m a big fan of, of Tesla, and I think only time will tell. and I think consumers pick, you know, vote with their feet or their dollars, right. And I think we will see that.
Dan: Yeah, really interesting. And, you’re both, you’re both, Tesla fans on the, on, on, on the co. So, so I’m gonna, I’m gonna divert us back to petrol. And, is it true that, that, Paul actually going back to petrol from electric, but, I’ll, I’ll just throw that grenade in there and then,
Al: Synthetic fuel.
Dan: Oh,
Al: It’s no longer patrol.
Dan: okay. Right. So a difference of opinion. And, I could probably talk to you for about another hour on this topic. we’re very close to time. I do have, I do have one, one final question, which is also perhaps a leading to the, the shameless plug that we always, offer our guests, which is if I’m an MSP and I’m listening to this, and it is fascinating. it’s new and it’s not without risk of, understanding and, and adoption. So how, what’s my first step? what, how do I go from this, this, my, my ears are, have been pricked. how do I now move to, to, well, you, you said proof of concept.
is that the first port of call?
Al: Absolutely. So we work very closely with the Brigantia, so reach out to Brigantia. you can also go to, our, website, which is https://www.getidee.com/ and you can sign up for a free trial for 14 days. it’s super easy. We have great guides. You can play with it for 14 days, as many users as you like. if you need help, obviously we’ll help you set it up. what I think Brigantia has found, and the reason why they picked us is because they see that is a very clear gap that needs to be filled. And as more and more regulations come in for MSPs. you know, DORA regulations, Cyber Essentials, et cetera. They also need to have peace of mind that their accounts are not compromised and their customer’s accounts are not compromised. So, I think we will see a massive change. I think people will start saying, this is enough. are seeing that like we have hundreds of customers now. We are still a very small company, but I think are seeing that, okay, I want peace of mind. I don’t want to have to worry that I’m on vacation, that somebody compromised my account and now I jump through hoops.
Dan: Brilliant. thank you so much for joining us and, really look forward to, seeing you again at the, at the next Brigantia event, I’m sure. And, ne next time Adam and I are in Munich. we’ll, we’ll be sure to, to stop by and, look forward to one of, one of the these, famous cocktails you were telling us about.
I would love to host you guys at (gastrobar) el Tato. Absolutely. And we can talk cars, because that is one of my favourite topics.
Adam: do we need to wear the Lederhosen?
Al: No, you don’t, but don’t be shocked if I do.
Dan: it looks kind of fun. Maybe after one or two cocktails. Brilliant. Thank you very much
Adam: Thanks Al.
Al: Thank you, gentlemen. It was great to talk to you.