Multifactor authentication is an important part of staying secure online, but not all methods are equal. Here’s what you need to know.
As the level of cyberattacks continues to grow, companies and end users alike need to increase their vigilance when it comes to protecting their data.
In recent years, online banking, email providers and social media platforms have upped their security practices in the form of two-factor or multifactor authentication (MFA). This is because relying on a single factor such as a password can be weak for many reasons.
Many organisations have introduced MFA for staff or users. For example, Microsoft made MFA mandatory for its cloud solution provider programme and other partners.
However, while MFA is seen as an essential cog in the cybersecurity wheel, it may not always be straightforward to introduce and there are many methods out there.
In October last year, Alex Weiner, director of identity security at Microsoft, wrote a blog post about the need to move away from SMS and voice multifactor authentication mechanisms. While his post pressed upon the importance of MFA as a whole, he brought to the forefront an important distinction that not all types offer the same level of security.
Types of multifactor authentication
Jason Soroko is the CTO of public key infrastructure at cybersecurity company Sectigo. He said each type of authentication has its own advantages and disadvantages.
“The principles are something you know, something you have, and something you are. Multifactor authentication means that users need to provide two out of these three to confirm their identity,” he said.
Phone-based one-time passcode
For phone authentication, a user is asked for a one-time passcode, delivered via a text or voice message.
This is the method that Microsoft’s Weiner advised against using. “These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today,” he said in his blog post, adding that every mechanism to exploit a credential can be used on PSTN.
Hackers can pull off SIM-swapping scams to gain control over someone’s phone number. Last year, Europol reported that police across Europe had been gearing up against this threat, with arrests happening in Spain, Austria and Romania.
Hardware token one-time passcode
According to Soroko, hardware tokens are an earlier form of one-time password generation. Instead of coming from a smartphone, the code comes from a piece of dedicated hardware.
“The disadvantages of a hardware form factor include having to possess multiple devices and speed of provisioning,” said Soroko. “Hardware tokens should only be considered for legacy applications.”
Soft token one-time passcode
This is similar to the one-time SMS passcode, but it is derived from an app as opposed to a text message. Like all one-time passcodes, it’s time sensitive but has the disadvantage that it must be typed into the application.
“There have been several attack methods to steal the one-time passcodes including endpoint compromises leading to key logging, man-in-the-browser and also proxy network-based man-in-the middle,” said Soroko.
This type comes from the ‘something you know’ principle and is most commonly known as security questions. When authenticating to applications, users are challenged with pre-arranged ‘knowledge factor’ models of authentication.
“This model has risks that include the answers being guessable by the attacker, as well as endpoint compromises leading to key logging and man-in-the-browser,” said Soroko.
Soroko said that biometrics such as fingerprint scanning, eye scan and voice recognition are handy features to replace manual pin code entry. But he added that these are still not 100pc secure.
“Successful attacks to mimic biometrics demonstrate that even though biometric measurements are unique to a person, those measurements are not as difficult to duplicate as may be suspected.”
What can users do when it comes to MFA?
Getting to know the different types of MFA is important, but what about actually using it? Michael Green, a senior cloud security consultant at BSI Cybersecurity and Information Resilience Ireland, warned that basic online security principles still need to be kept in mind when using MFA.
He said ensuring that upgrades and patches for devices and applications are made frequently is the first step. “Using a modern operating system and having the latest security patches installed will reduce the risk of the device, the web browser or the MFA app itself being vulnerable to manipulation,” he said.
“Hardening email security postures is another important step. Attackers can effectively bypass MFA if they are successful in manipulating someone into clicking on a malicious email link or attachment. They may have cloned the login screen of a popular website and the person may have been tricked into entering their credentials into an attacker-controlled copy of the site.”
Green also said it’s important that users are familiar with the security settings of the application they are using, and they may need to enable security features that are not configured by default.
“Applications are all different and the per-application security options will differ too. Carry out due diligence into the available endpoint, web and email protection offerings to strengthen the overall security posture.”
However, users do not have the power to introduce another factor of authentication in applications where it is not facilitated. Green said that while MFA adoption is increasing, there is still more work to be done.
“Is MFA available for all the services that are used? The likelihood is the answer is no. We would recommend raising a feature request to implement MFA with the service in question,” he said.
Why don’t all companies have MFA?
In the wake of a number of recent large-scale cyberattacks, Salesforce told Siliconrepublic.com it is getting ready to make multifactor authentication mandatory for all customers.
Lynn Simons, the company’s senior director of security awareness and engagement, said the reason companies may be slow to set up MFA comes down to prioritisation.
“Despite how technically simple adopting MFA can be, it remains a project in change management. It’s a technology and change in login process that’s being implemented, requiring sometimes hundreds, if not thousands, of employees to engage with a new tool,” she said.
“Applying change at that scale, no matter how simple, can be overwhelming, even when the world isn’t going through a pandemic. But it doesn’t have to be overwhelming. By recognising challenges to user adoption, committing to open communication and providing the resources and training your employees need, any business can conquer that fear of the unknown.”
Simons added that company leaders need to ask themselves what the best way to roll out MFA may be for their own organisation. “The barrier to adopting MFA isn’t the technology itself, but is how to manifest that change, communicate it and figure out the best technology to deliver MFA. Are your employees tech savvy to adopt a mobile app? Or do you invest in more analogue technologies like Yubikey?”
She echoed other security experts’ sentiments about the importance of choosing the right method of MFA. While she said that SMS messages are far too vulnerable, she warned that the chosen methods should not only be strong, but user friendly.
“While password generator apps or security keys may not work for every company, the reality is most employees are also consumers with a smartphone. And odds are, on that phone, the employee is already using multiple apps that require MFA. That muscle memory exists for businesses to tap into; doing so can significantly decrease time to adoption and onboarding,” Simons said.
“With options like hardware keys, you often see employees run into issues losing, replacing or breaking them. But a mobile authenticator app can be continuously updated in ways that make the MFA process more seamless.”