REVIEW OF THE ATTACKS ASSOCIATED WITH LAPSUS$ AND RELATED THREAT GROUPS 33
integration with applications and web-based services, leveraging standards such as WebAuthn
327
and
technologies such as Passkeys.
328
• Technology providers should immediately begin to transition away from Short Message Service (SMS) and
voice MFA. Transitioning from SMS and voice MFA to stronger MFA methods is consistent with National
Institute of Standards and Technology (NIST) 800-63B (Rev. 3) and other globally accepted guidance.
329, 330, 331
See Appendix B for further details on the strengths and weaknesses of different authentication methods.
• Operating system developers, web browser designers, and hardware manufacturers should address the
widespread theft and monetization of authentication cookies, such as via infostealer malware, by
implementing secure-by-default safety mechanisms that protect these credentials. For example, online service
providers could automatically and silently reissue cookies, possibly every hour, to reduce the window of
opportunity for attackers to reuse them.
o Hardware-backed schemes could help raise the bar for
defending against cookie theft. For example, proposals like
Device Bound Session Credentials (DBSC) and Browser
Proof-of-Possession (BPoP) aim to mitigate cookie and
token theft techniques by providing application-level
binding and browser-initiated refreshes.
333, 334
The U.S. Government Should Provide Standards, Guidance, and Tools to
Support Organizations’ Authentication Journeys
The United States (U.S.) government is responsible for shaping the digital ecosystem in a direction that puts the user
first and harmonizes security and accessibility. The National Cybersecurity Strategy commits the U.S. government to
take urgent steps in defending today’s digital ecosystem while simultaneously building a more sustainable and resilient
future.
335
Modernizing and securing authentication is at the forefront of this approach. The Office of Management and
Budget’s (OMB) Zero Trust Strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA) More Than a
Password campaign emphasize the importance of MFA.
336, 337
The Board recommends that the U.S. government
support organizations’ authentication maturity roadmaps by providing guidance that addresses their respective realities
and dependencies.
The U.S. government, specifically OMB, NIST, and CISA, in consultation with the Office of the National Cyber Director
and other Departments and Agencies, as appropriate, should collaborate with industry stakeholders to develop and
promote a secure authentication roadmap that can help organizations make the transition to a world without
passwords. This roadmap should include standards and frameworks, guidance, tools, and technology specific to
organizations’ needs and circumstances that account for size, industry, threat profile, as well as privacy and civil
liberties considerations. This guidance should also enable organizations to assess their authentication maturity and
327
Balfanz, Dirk et al.; W3C, “Web Authentication: An API for accessing Public Key Credentials Level 1,” March 4, 2019,
https://www.w3.org/TR/webauthn-1
328
Bertocci, Vittorio; Auth0, “Our Take on Passkeys,” August 24, 2022, https://auth0.com/blog/our-take-on-passkeys
329
NIST, “SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management,” June 2017 (updated March 2, 2020),
https://www.doi.org/10.6028/NIST.SP.800-63b
330
CISA, “Implementing Phishing-Resistant MFA,” October 31, 2022, https://www.cisa.gov/sites/default/files/2023-01/fact-sheet-
implementing-phishing-resistant-mfa-508c.pdf
331
ENISA and CERT-EU, “Joint Publication 22-01: Boosting your Organisation’s Cyber Resilience,” February 14, 2022,
https://www.enisa.europa.eu/publications/boosting-your-organisations-cyber-resilience/@@download/fullReport
332
CISA, “Secure by Design, Secure by Default,” https://www.cisa.gov/securebydesign
333
The proposal for DBSC aims to reduce account takeover via cookie theft. For additional information, see: Web Incubator Community
Group; W3C, “DBSC (Device Bound Session Credentials)” July 5, 2023, https://github.com/WICG/proposals/issues/106
334
The proposal for BPoP aims to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens. For additional
information, see: Microsoft Edge, “Demonstrating Proof-of-Possession in the Browser Application (BPoP),” June 9, 2023,
https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/BindingContext/explainer.md
335
The White House, “National Cybersecurity Strategy,” March 2, 2023, https://www.whitehouse.gov/wp-
content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
336
OMB, “M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” January 26, 2022,
https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
337
CISA, “More than a Password,” June 6, 2022, https://www.cisa.gov/MFA
Secure by Design
In 2023, CISA introduced an initiative to
drive technology providers to prioritize
consumer safety in every stage of the
product development lifecycle. Building in
robust IAM solutions would be an
important step to achieving more security
and reduced risk for consumers.
332