Protecting your online accounts is an essential part of life on the internet. This guide to multifactor authentication can help.
Data security is a top priority whether you are a CIO of a large company or an individual who wants to keep their emails private.
As cyber-threats evolve and change, a single password system just doesn’t make the safety grade any more. Many people use the same password for multiple accounts but we cannot be reliant on a single form of authentication in an increasingly threatening digital landscape, where phishing and other threats are lurking.
Enter multifactor authentication (MFA). From single-use codes to physical security keys, users and businesses need to navigate the options on offer. Siliconrepublic.com spoke to some experts to find out what’s best.
MFA can protect against phishing
Adenike Cosgrove, EMEA cybersecurity specialist at Proofpoint, said that MFA is “a critical pillar of any cybersecurity strategy”. According to Cosgrove, MFA builds on the idea that networks are no longer trustworthy, so more than one method of authentication is required.
Senior IEEE member and professor of cybersecurity at University of Ulster, Prof Kevin Curran, said: “It is built on components which may be something that a user knows, something that the user possesses or something that is inseparable from the user.”
Rajaram Bhaskaran, director of security offerings at Aricent, compares digital MFA to the analogue analogy of withdrawing cash from your bank account. “You need your credit/debit card (the possession factor) and also [to] know the PIN (the knowledge factor). Using biometrics as a factor to verify the user is becoming increasingly popular (the inherence factor).
Raj Samani, chief scientist and Fellow at McAfee, added: “Whilst it is more onerous to deploy multifactor authentication, it is something that should be used where the value of the service you are trying to protect is of sufficient value.”
Types of multifactor authentication
The most commonly used consumer form of MFA is a one-off mobile SMS code, which is sent to a user’s device when they try to log in.
CTO of data protection at Gemalto, Jason Hart, said: “While this technology is still not a standard security process for all organisations, consumers are likely to have come across it, with Facebook, Google and Twitter being strong advocates of the technology to protect users from cyber-criminals [who partake in] brute-force cracking, phishing attacks, or simply guessing static passwords using information shared by the user online.”
This method of MFA is probably the least secure option, as hackers can exploit the underlying SS7 signalling protocol. Curran explained that this could “spoof a change to a user’s phone number, intercepting their calls or text messages”.
Bad actors can also use the tried and true social engineering method of “tricking IT support staff into assigning accounts to ‘dummy sim cards’, thus rendering this form of two-factor authentication [2FA] useless”.
Jake Moore, cybersecurity specialist at ESET, said that although no form of MFA is entirely secure, applications such as the Google Authenticator app are seen as highly beneficial. “These applications use a software token that implements two-step verification services using the time-based one-time password algorithm, which in turn generates a six- to eight-digit code.
“This algorithm is based around many factors, reducing the chance that a hacker will get access to the account.”
Curran added that it is now considered best practice to use tools such as Google Authenticator or an RSA token, which can also prove possession. “These do not involve a communication, which can be as easily eavesdropped upon, nor a sim card that can be replaced.”
Google recently hit headlines due to its use of physical USB security keys in its security strategy with staff. By using these keys, phishing incidents became far less common.
Stina Ehrensvärd, founder and CEO of hardware authentication company Yubico, explained how the process works. “Unlike SMS authentication, which involves sending a temporary login code to a user’s mobile phone via text, the root of trust sits on the hardware 2FA device, removing the need for transmissions that can be intercepted by tech-savvy cyber-criminals.”
Yubico’s YubiKey device has proven popular among the security-conscious who want to protect against phishing and other threats. “Even if your login credentials became compromised, the hacker would still need the physical YubiKey to gain access to your accounts,” said Ehrensvärd.
Curran said biometric authentication could totally eliminate passwords, PINs and single-use codes. “[Biometric authentication] maximises between-person random variations, while at the same time minimises within-person variability. In contrast with passwords and PINs, a biometric identifier cannot be lost, forgotten or shared.”
The list of biometric options is overwhelmingly long. It includes finger, face, retinal scan, iris, gait, vein infrared thermogram, hand geometry and palm print, or a combination of all these identifiers. The combination is termed ‘multimodal biometrics’.
This option is quite secure but challenging to implement, according to Bhaskaran. Many organisations use MFA to “strike the right balance between security and convenience”.
Enrolment in a biometric authentication system can be difficult and sometimes weak (allowing another user to register their biometrics instead of the user in question). If it is too difficult to implement, combining a password and a single-use code can provide robust protection.
Laurance Dine, computer forensics expert and managing principal at Verizon, said there are some other concepts that are becoming reliable enough to be held up as viable alternatives to more mainstream biometrics. “One option is asking a user to key in a passphrase, essentially establishing a question and corresponding challenge response.
“The software not only verifies the accuracy of the response to the challenge question, but also determines how a user types, using variables such as the speed between each letter being typed. From this, the software determines if the individual is the correct person.
“Another method is using an individual’s cognitive abilities. For example, organisations could present a set of pictures and ask the user to choose the combination that only the individual would know and be able to identify.”
The future of authentication
The biggest change in the future might be the rise of the mobile device for biometric reading. Curran said: “It is feasible that biometric authentication becomes the de facto form of providing credentials in the future, although it should be combined with multifactor methods.”
Curran said that although MFA attacks on SMS codes do involve individual targeting and an exceptionally high level of skill on the attacker’s part, “the problem is that attacks never get worse and there is always someone out there making the hardware cheaper and the software easier to use, so we can expect to see lesser-skilled attackers exploiting weaknesses in multifactor authentication, which for a brief period did what it said on the box”.
Cosgrove wants people to ensure that MFA is not their sole line of defence, particularly enterprises. “With the move to the cloud, and the growing use of enterprise SaaS applications, malicious actors are increasingly compromising corporate email systems by using brute-force attacks to steal cloud application login credentials of corporate users and then logging in as an imposter on the system.
“Through this method, attackers can gain access to accounts even if the company has deployed single sign-on or MFA as part of their security system.”
Consistent threat detection in real time is an essential part of reducing the risk of compromise through ransomware, phishing or other attacks.