Organizations are realizing a fundamental truth that passwords alone are not enough to secure your accounts. You must supplement passwords with an additional authentication method as by themselves they are too easily compromised.  As a result, enterprises are rapidly integrating multifactor authentication (MFA) solutions into their architectures such that the global MFA market is projected to grow from $11.1 billion in 2021 to more than $23 billion by 2026.  It is also a key consideration when being assessed for cyber insurance coverage. MFA is based on three identification strategies:

  • Something you know such as a username and password or the answers to a series of preselected security questions that proves who you are.
  • Something you have such as the cell phone or mobile app to confirm your identity.
  • Something you are, which entails some sort of biometrics such as a facial or fingerprint scan.

A proper MFA solution incorporates two or more of these strategies into the logon process.  For instance, just supplementing the standard login process by prompting the user to answer a security question utilizes the same authentication factor and is not considered MFA.

MFA Doesn’t End Data Breaches

While MFA is a necessary requirement today to protect against many types of cyberattacks, it isn’t a blanket strategy that will prevent all data breaches from occurring.  Data breaches occur for more reasons than the compromise of user credentials.  MFA doesn’t secure system or application vulnerabilities that hackers actively exploit, nor does it prevent human error of data sharing or security misconfigurations.  In the end, MFA is part of a multilevel, in-depth security strategy.

MFA as a Single Point of Failure

Multifactor authentication implies more than one authentication method.  While two-factor authentication (2FA) does significantly bolster your security, it can also create a single point of failure.  For instance, let’s say a user is in a remote workspace and they must use type in a code sent through SMS to their cellphone.  There are still a number of obstacles to complete authentication, such as not having their cell phone on hand or the battery may be dead.  The user may be operating in an area with poor cell coverage, or the SMS message is delayed, and the time-based passcode expires.  You need to consider multiple MFA solutions to ensure resiliency for user authentication.

MFA can be Annoying

People love convenience. We love our new technologies that make life quicker and easier. But users can get annoyed having to go through MFA routines every time they access a web portal or online application from their corporate or home-based office.  When users get annoyed with a repetitive security ritual, they start looking for ways to circumvent it.  While highly privileged users such as global admins should be required to use MFA every time they login, it can be overkill for standard users that reside at a single location most of the time.  This is where adaptive multifactor authentication (aMFA) or IP-based MFA comes into play.  These types of MFA solutions learn where users regularly login over time and will only initiate MFA when an authentication request comes in from a new or unexpected location. 

Incorporating Weak Factors in your MFA

The principle of MFA is to supplement the intrinsic weakness of user credentials as an authentication factor.  However, supplementing it with another weak factor may not provide the added security you are looking for.  For instance, requiring a user to type in a code sent to their cell phone through an SMS text or an email address has inherent weaknesses as well.  A user’s phone could be stolen, or the supplementary email address can be compromised. 

The Weakness of SMS MFA

The most common identification strategy for MFA is the integration of something you have such as a cell phone.  Many organizations use an MFA solution that sends a time-based or one-time password to a registered cellphone using SMS text.  One big problem with this is that SMS messages are sent in plain text form.  Attackers can intercept them using a variety of available tools today. Because the messages aren’t encrypted, hackers can easily view the message content.  A user can also unknowingly install a trojan or other type of malware onto their phone or device that can capture these one-time passwords and forward them to the cybercriminals.  There is also a practice called SMS Swapping in which an attacker can activate a new phone with your phone number and thus receive your MFA messages. 

A Possible Scenario

Many people may be surprised at how easy it is to compromise some of the more popular MFA methods.  For instance, a user receives a phishing email that entices them to click on a link that pulls up a simulated landing page for their bank.  The unsuspecting user then types in their username and password, which is immediately captured by the perpetrator of the attack.  This hacker then pulls up the bank’s real web page and types in the stolen credentials.  The bank’s authentication system detects that the authentication request is coming from a different location than normal and sends a one-time password to the account user’s phone.  At the time, the soon-to-be victim is then directed to a new simulated screen that prompts them for the newly sent passcode where they type it in.  Unfortunately, it too is captured by the attacker who then provides it to the bank’s website.  After confirming the code, the bank’s system allows the attacker into the user’s online account, at which point the attacker proceeds to drain it. 

Microsoft Discourages Phone-based MFA

It is because of this very real scenario and others that Microsoft now discourages the use of telephone-based MFA solutions that utilize codes sent via text, email or voice calls.  Microsoft instead recommends the use of authenticator apps such as Microsoft Authenticator or Google Authenticator as well as security keys.  Security keys are actual physical devices that host a small internal chip.  These are typically inserted into the computer’s USB drive, but they can connect through Bluetooth as well.  They are often compared to a hotel security key.  These keys support an open-source universal standard called FIDO U2F.  Users can use these keys whenever they need to prove their identity to logon to their accounts or access a website or application.

Getting Clarity on MFA

There is a lot of confusion out there about MFA.  If you are currently using SMS-based passcodes as your primary MFA solution, you may want to learn about other alternatives that offer far greater security.

Review your current security posture. HALOCK can analyze your risks and advise on the best safeguards for your working environment to achieve reasonable security.

Cyber Data Breach News

HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.