FAQ's

Does Circle Access protect my company from MFA Bombing?

Yes. "MFA Bombing" is a new type of exploit that defeats traditional MFA that many organizations believe to be quite strong. This recent article in Ars Technica provides a good summary.

Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA

Not all MFA is created equal, as script kiddies and elite hackers have shown recently.

As Ars Technica points out, any MFA is better than no MFA. But there are important differences between different types of MFA, and common vulnerabilities to those in the widest use today.

Circle Access, on the other hand, uses 3 very strong factors that are immune to cloud-based attacks of all kinds - phishing, pharming, spoofing, MFA prompt bombing, etc.

1. Something You Have: your Smartphone (or PC/laptop)

With Circle, authentication is device specific. The only opportunity is for a hacker to get onto the device.

2. Something You Are: your biometrics

Circle leverages the OS-native biometric scanning capabilities the device to ensure that the authorized user is in fact using the device.

3. Something you do: a cryptographic proof

With traditional MFA, this is weak and spoofable - using channels like SMS and email and authentication codes. Circle Access has you do something which uniquely proves your authenticity: sign a cryptographic challenge.

  • At the time of authentication, a public/private key pair is created.
  • The public key is kept on the Web server - and stored uniquely with our account.
  • The private key is stored and bound to the keychain of the authenticated device.
  • The Web server has the device sign a challenge at the time of authentication, which it can validate with the unique public key for that user account.

The only way to break this once again is get possession of the device. Then, for the highest value use cases, Circle adds one entirely new method of authentication.

4. Something that only people that know you can do: Circle-of-Trust

Circle-of-Trust human-in-the-loop identity verification. Even if the device is physically stolen or remotely hacked, escalation to Circle-of-Trust can force the attacker to 'lift the veil' and be identified directly, in person. This happens completely out-of-band and directly between the parties - no CoT bombing possible.

And of course the other vital role for Circle-of-Trust: protecting your super-powers!

Even when companies use FIDO2-based MFA everywhere, Nobelium has been able to defeat the protection. That bypass, however, was possible only after the hackers completely compromised a target's Active Directory, the heavily fortified database tool that network admins use to create, delete, or modify user accounts and assign them privileges to access authorized resources. That bypass is beyond the scope of this post because once an AD is hacked, it's pretty much game over.

Ars Technica: Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA

Can Circle Access protect your users and customers from sloppy protocols or lax enforcement? Of course not. But by making ultra-strong MFA frictionless and easy for end users, and effortless to support for IT, Circle Access can make it much much easier to implement and use.

Read This

Learn This

How Circle Access Mobile and Circle-of-Trust works, including API details, related forum topics, and relevant FAQs for developers

Related Questions