Multi-factor authentication and privilege escalation

To start, privilege escalation is a type of cyber security attack where bad actors are able to gain access to unauthorized resources, either via other user accounts or accounts with higher privileges. Horizontal escalation describes the scenario where attackers are able to hack into other accounts with the same privilege as a typical user. Here, attackers misuse legitimate permissions granted to the hacked account. Vertical escalation, on the other hand, is when attackers are able to gain administrative access or something similar (like root access) by manipulating the privilege of an existing hacked account.

Also, for clarification, although authentication and authorization are similar words, their meanings are quite different and necessary to distinguish between in the context of this information. Authentication is the process of verifying a user’s identity, whereas authorization is the determination of how much access they are granted and what actions they can perform within a system. We are focusing more on authentication here, although access control/authorization is also a great way to prevent privilege escalation attacks.

So you may wonder… What does this have to do with multi-factor authentication (MFA)?

In order to hack into unauthorized accounts, bad actors rely on brute force and/or credential theft. However, an account protected by multi-factor authentication is notably harder to break into. Even if your credentials are guessed or compromised, there is an extra layer of security preventing those other than you from accessing the account. While an attacker might be able to infiltrate the first layer or your account’s login procedure, once they get through that they are directed to another device or account to confirm their identity, which creates serious complications and major deterrents for said bad actor.

Take a look at the difference between authentication vs. authorization, and learn about privilege escalation and how tools like multi-factor authentication can mitigate this type of threat.

Types of multi-factor authentication include one-time passwords, authenticator apps, biometrics, hardware tokens, security questions, and pins. One-time passwords usually take the form of codes sent to your email or phone that expire after a certain period of time. Authenticator apps function similarly but are all contained within one place (often issuing temporary codes, but that can be found within the account in your app), and biometrics are scans or yourself (such as face or fingerprint). These tend to be the most effective forms of multi-factor authentication, but there are also hardware tokens (like a USB you plug into your computer), security questions (like ‘What was your childhood pet’s name?’), and pins (although these ones don’t expire after a certain period of time - the pin is always the same). The risk with these three is that they can be more easily compromised than the others, but they are still better than not using multi-factor at all.

One main threat to the efficacy of multi-factor authentication is social engineering. This includes attacks like phishing scams, where bad actors use socially manipulative techniques to gain access to information like bank accounts, passwords, etc., or to install malicious software directly onto a device. We will talk more about how to mitigate social engineering threats below, and how to properly implement MFA.

Privilege escalation happens when attackers exploit programming errors, design flaws, configuration issues, and access control oversights. Unfortunately, because of this bad actors are able to gain access to sensitive information or launch attacks with their newfound permissions. Think of this method as a means to an end – while the main goal is often not just to gain access, the access is what allows the bad actors to carry out more specific attacks. Even if you have tight security measures, allowing malicious privilege escalation to occur completely alters potential attack vectors.

A recent example of an attack originating from privilege escalation is the 2023 Okta data breach. The whole dilemma started when an employee's account was compromised, which allowed bad actors to enter said account and install malware onto the employee’s laptop. Eventually, Okta discovered that the hackers had gained access to the data of 134 customers. One of the security enhancements that Okta implemented after this breach was multi-factor authentication for important actions!

Har Dware is a developer working on the backend of his company’s access management system. His team heard about a snazzy new method – multi-factor authentication – and want to implement it during their login procedure.

Here is what the code they might use to connect an authenticator app with their server looks like:

The security of Har Dware's system comes from combining a shared secret with the element of time. When the user needs to log in, they run their authenticator app. The app performs a cryptographic algorithm (HMAC) that combines the saved secret_login_key with the current time (rounded down to the nearest 30 seconds). The result of this calculation is the 6-digit code.

Back on Har's server, the script does the exact same calculation.

When the user types in their 6-digit token, the totp.verify(user_token) function takes the same secret_login_key (which it would fetch from the database) and combines it with the current time. It generates its own 6-digit code and compares it to the one the user provided. If they match, the user is authenticated.

Boom! Robust login - much more secure than a simple username and password.

As we’ve seen from the information above, one of the best ways to prevent privilege escalation attacks before they start is to use multi-factor authentication. Even on an individual level, making authentication more complicated keeps your accounts and information secure, and when working for an organization helps to protect your coworkers and the organization overall. When you have the option, gravitate towards using biometrics, temporary codes, and authenticator apps.

Another concept, more at the administrative level, that can prevent privilege escalation attacks is the creation of an identity fabric within an organization. Lots of administrators and enterprise security experts must juggle multiple user directories and identity systems, but an identity fabric takes some of the complication away by combining these different access management systems into a unified framework. The key is having a single point of control for managing user identity and privilege. Here, we are talking both about authentication, making sure each user you oversee is who they are claiming to be, and authorization, or governing what privileges each account is granted.

Implementing a unified fabric allows an organization to have more accurate threat detection systems in the case of an attack, and keeps all of the complicated information that needs to be overseen in one compact place. According to a Threat Intelligence Index developed by IBM and X-Force, identity-based intrusions are one of the most common attack vectors, accounting for around 30% of the intrusions an organization might observe. Methods like multi-factor authentication and identity fabrics can help to minimize this statistic when implemented mindfully.

Finally, one other method that can be implemented to minimize the risk of privilege escalation attacks and other identity-related attacks is being vigilant about access control. Access control defines what privileges each user has access to by default, and the idea of least privilege should always be implemented. This means that accounts should, by default, have the least access necessary. For example, someone working in the sales department of a company should not have the same access as an enterprise security expert. Everyone should be given only the access they need for their job function, which in turn helps prevent privilege escalation and other identity-related attacks by limiting what bad actors can do in most accounts. Plus, only the people with security training/expertise should be able to access sensitive information and the like.

Considering the prominence of identity-related attacks, preventing organizational problems like privilege escalation and individual-level problems like sensitive information leaks continues to be of great importance. One way to secure your information or organization is through using multi-factor authentication, but the other methods listed above can also make your accounts more secure by leaps and bounds.

Take a look at more of our less coding-specific lessons:

• This lesson describes the phenomena of false negatives and positives in threat detection systems.
• Our personally identifiable information lesson teaches you what your sensitive information is and how to protect it.
• And finally, here is one of our more technical lessons concerning access control.