Multi-factor authentication, also referred to as two-factor authentication or 2FA, is a security enhancement that requires users to present two pieces of evidence before logging in to an account.
Acceptable credentials generally fall into one of three categories: something you know (a password or PIN), something you have (a smart phone or physical token), or something you are (your fingerprint). For multi-factor authentication, credentials must come from two different categories. So, for example, after typing in your user name and password, some apps will send a one-time code to your phone that also must be typed in. The thinking goes that while hackers today can all too easily discover your passwords, they almost certainly won’t also have your phone (but more on that later).
The obvious benefit of multi-factor authentication is increased security by adding additional layers of protection. The more layers (factors), the harder it is for a potential intruder to gain access to accounts, systems or data. MFA can also help organisations achieve and maintain compliance, which can reduce potential legal liability.
But MFA is not a magic bullet; keep these challenges in mind when creating a multi-factor authentication program of your own:
Adoption is generally low
Even among those who know better, MFA can be one hurdle too many for some users. That’s because in most MFA implementations, passwords are still necessary. So now in addition to having to manage the password, users have to manage the additional layer of security. Relatedly, because different applications and systems may require different types of MFA, users are juggling authentication types just as they juggle passwords.
Access codes can be stolen
As organisations work to boost security through MFA, criminals are just as busy creating new tools to overcome those efforts. According to ZDNet, a penetration testing tool published by a security researcher — not even a bad guy! — “can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication.”
The same article noted that an Amnesty International report released in late 2018 showed that advanced state-sponsored actors have already started using phishing systems that can bypass 2FA already.
Accepting any MFA request
Sometimes criminals don’t even need to socially engineer someone into helping them. Here at SpyCloud, we heard from members of our Customer Advisory Board that some obliging customers will accept any MFA request, even if they’re not currently trying to login to anything. A good reminder that human error remains the biggest security threat!
SIM, which stands for subscriber identity module, is your phone’s unique identifier. A small chip-containing card, it’s used by mobile phone providers to individually identify each of us as subscribers and allow us to communicate with their specific mobile networks. Most providers also offer a service known as a SIM swap, which enables the transfer of your mobile account from one SIM card to another. This comes in handy if you’ve accidentally lost your phone or somehow damaged your SIM card.
And of course, cybercriminals have learned how to use this function to gain access to users’ accounts. Cybercrime Magazine describes how Rob Ross, an Apple developer and cryptocurrency investor, watched helplessly as one million dollars was siphoned out of his bank account in a matter of minutes. More recently, Twitter CEO Jack Dorsey lost control of his own Twitter account through this increasingly common tactic.
From one account to the next
Once criminals gain access to one account, they’re often able to them get into many others owned by the same user. They may be able to get into the first account through no fault of the user, gaining passwords through a third-party breach, or because of poor password hygiene (reusing credentials) by the user.
Once in the account, hackers are often able to discover the “seed” or secret key of a TOTP — a time-based, one-time password — that allows entry into more high value targets such as bank accounts. The same goes for other personally identifying information, or PII, that can be gleaned from the first account. Once inside, threat actors can use compromised PII to answer security questions and get access to even more accounts.
MFA can even solidify threat actors’ control over stolen accounts. How? Let’s say you unknowingly enable MFA for an account that has already been compromised, or if an attacker has SIM swapped to get control of your accounts, those MFA requests go to the attacker — reinforcing their ownership!
Account recovery can also negate existing MFA; once the hacker has control over say, an email account, they can simply click “forget your password?” then answer your security questions with the PII in discoverable in your email.
Actionable steps for greater protection
While the shortcomings of MFA are real, it’s still a good idea to enable it. And you absolutely can boost its effectiveness if you take the steps below:
- Encourage users to select a type of MFA other than SMS, to protect against SIM-swapping and phone porting.
- Monitor user credentials for passwords that have been exposed in a data breach, in accordance with NIST password guidelines.
- Educate users about phishing, social engineering, SIM-swapping and how to store TOTP seeds securely.
- Encourage users to set PINs for their mobile accounts.
- If you send emails asking customers to reset their passwords, provide step-by-step instructions rather than clickable links that could condition users to click links in phishing emails.
- Use location-based controls; make sure both the login attempt and the second factor come from the same location/IP address.
Chris LaConte, Chief Strategy Officer, SpyCloud