Let's Talk About MFA
Chuck's Cyber Wall
Some of us are very familiar with MFA (Multi-Factor Authentication). It is a method of security that requires a factor in addition to a password to complete a login. As if a having a strong password is not enough, now we’re being asked to use an authenticator or have codes texted, emailed, and phoned to us, or worse – having to carry around a small USB device, as a secondary form of identification.
Why is this necessary?
Well, because using MFA virtually eliminates the threat of credential theft. Please, read that line again. Seriously, it’s true. No single technology in the past two decades has provided as much credential security as MFA. If you are not currently using it on any account with access to your personal and financial information, you are putting yourself at risk.
How MFA Works
The vast majority of Phishing attacks attempt to steal your credentials.
Since Google started requiring MFA for it’s 85,000+ employees in 2016, they have not experienced a successful credential Phishing scheme. There are so many Phishing scams going on right now, that cyber security officials have reached a point where they need to be careful about which scams they reveal to the public in order to avoid making people numb to the threat. We are all preaching awareness, but as the threats continue to grow and get more complex, we’re seeing people throw their hands in the air and give up.
Instead of becoming more vigilant, they begin to turn a blind eye to it.
This is how hackers win. The collective WE can’t let that happen because these hackers ruin lives, and MFA is a great way to turn the tables on them.
As the name implies, Multi-Factor Authentication adds a requirement beyond a password in order to gain access to accounts, websites, email, etc. This secondary verification requirement means that even if a hacker manages to get your user name and password, they still can’t gain access to your accounts. Utilizing this one security protocol nullifies the success rate of the most often employed Phishing threat.
Can it be a little inconvenient? Yes.
I use three different MFA authenticators for 11 business apps, such as Office 365, website administration, VOIP service, etc, and for 17 personal apps including email, banking, and social media programs like Facebook, Instagram, and Twitter, etc. Every time I log in from a new device – or after 30 days – I am required to re-authenticate with my password and a one time code provided by the authenticator.
Sure, I resisted at first, complaining that it slowed me down. But does it really?
It takes as much time to access the authenticator and type in that one-time passcode as to open Facebook and respond to a meme with a laughing emoticon. The inconvenience is slight, at best, and when compared to the benefit MFA offers, it is absolutely worthwhile.
Types of MFA
Up at the top, I mentioned a variety of ways 2FA could be used. The reason that there are so many option is to try to find a method that appeals to the greatest number of people. Whether you are tech savvy or utilize technology only when you must, there is a method of 2FA for you.
- Microsoft Authenticator – free, easy to use, and works for almost every app out there, and offers push notifications
- Google Authenticator – also free and works with almost every app and has iOS support, but the initial setup can be tricky
- TOTP Authenticator – free and really basic, but offers cross-platform support for iOS and Android and cloud syncing
- SAASPASS – an authenticator with a lot of options and works on virtually every platform available from Android to iOS to Blackberry to Windows
- 2FA Authenticator – free and very basic app without a lot of customization, its simplicity makes it a popular choice
- LastPass Authenticator – free, lots of features – including push notifications, and integrates with LastPass Password Manager
- Duo Mobile – in addition to the popular apps, this one supports a lot of third party apps that others don’t, and includes its own push notifications.
- Authy – free and works similarly to Microsoft and Google, and offers push notification and device syncing so you can have it on your phone and tablet
There are others, but these are the most popular and best rated.
We would be remiss for not mentioning that there are some vulnerabilities to authenticators related to the smart phones themselves:
- A smart phone that doesn’t have some type of lock security feature leaves the authenticator vulnerable
- Smart phones can be sim cloned – meaning a hacker can make an exact copy of it, including the authenticator
- If the battery dies, the phone breaks, or it is lost, the authenticator will be inaccessible
When it comes to authenticating to an account, there are four different security methods:
- Something you know – like a password
- Something you have – like an authenticator
- Something you are – like finger prints, facial recognition, and iris scans – also known as Biometrics
- Somewhere you are – we’ll discuss this in Tokens
A few years back, biometrics were hailed as the next evolution in cybersecurity. That excitement waned after the initial technologies contained flaws that were greatly exaggerated in movies and on TV. For this and many other reasons, people have been less than willing to embrace it. As the technology has improved, with people using fingerprint readers and facial recognition on smart phones, biometrics has become a standard security protocol.
Biometrics makes it possible to potentially use more than two security methods without causing more inconvenience, likely making it the next evolution in cyber security. It’s just going to come at us a little more slowly to allow us all to adapt to and better understand the technology.
Do you not have a smart phone? or not want to install an app on your smart phone?
The majority of programs and websites that support MFA will allow you to provide them with a trusted phone number that will provide you with passcode via phone call. You may provide either a mobile phone number or one from a dedicated landline or VOIP service, like your office phone.
The only negatives here are that the phone must be available to you in an area with service, and if you need to have that phone number changed, it can be very labor intensive and time consuming. MFA companies are going to err on the side of caution and make absolutely certain the person requesting the change is the actual account holder. To be honest, this is true of any change to a MFA system, it just so happens that phone numbers are more apt to require these types of changes.
Also, when using call codes, people often write them down. You may think that because it’s a one use code, writing it down is not an issue, right?
Every cyber security expert in the world recommends never writing anything security-related down, and people who get used to writing down security codes, will write down other important security information. So, if you are going to use call codes, whenever possible type them in while on the phone – you can request the code to be repeated as many times as you need.
While none of these MFA methods are completely secure, passcodes received via text messaging or SMS (Short Message System) are the most vulnerable.
Aside from requiring cell service to receive the passcodes, the messaging services that are being used are old and vulnerable to a variety of types of attack. In addition, service providers have easy access to messages in these systems as they are being transmitted between towers and SMS Centers, allowing for the possibility of insider threats that could potentially intercept these messages. Yes, this means that any text message you send from your phone has these vulnerabilities.
The nature of the single use passcodes mitigates this threat enough that there is not a great deal of concern for companies offering MFA with sending passcodes in this way. In this instance, the benefits of MFA far outweigh the potential risks of using Text Codes, but I would still recommend one of the other options listed here.
Also referred to as a Disconnected Token, these are simply standalone authenticators. Like those listed above, the job of a Token is to provide you with an encrypted six digit passcode. After being prompted to provide your user name and password for the program or website you are trying to access, the credential manager will prompt you for the passcode.
After entering the passcode, you’re in.
- As an independent piece of hardware, tokens are not susceptible to sim cloning (someone making an exact copy of your phone), they work in areas with no cell coverage, and account recovery is tied to a specific serial number allowing for more secure activation/deactivation
- Many of them have built in geolocation, requiring you to be in a specific area for the code to work
- this is used for the fourth security method – Somewhere you are
- The security certificates stored on the device can be used to provide it with a limited operation time, requiring users to turn in old tokens and get new tokens, at the same time allowing administrators to re-evaluate the user needs and determine if the token is still necessary
Also referred to as a Connected Token and Universal 2nd Factor (U2F), these are standalone authenticators shaped like a USB drive that are plugged into the computer, with a button on top. Unlike other types of authenticators, these don’t generate a code. After being prompted to provide your user name and password for the program or website you are trying to access, you will insert the Security Key when the credential manager prompts you to enter the code, and then press the button it it.
That’s it, you’re in.
Easy to use, with all of the benefits of being an independent piece of hardware, these Security Keys are growing in popularity as they speed up the secondary authentication option and have the availability of additional security features such as geolocation and a limited operation time.
Of the MFA options presented, Security Keys are one of the more attractive and the one we at CLARK prefer.
Don't Get Negligent on Passwords
“I have Two-Factor Authentication on my account, I don’t need a strong password anymore.”
No. No. No. Please don’t fall into this trap.
MFA will help keep you safe if your username and password get compromised, but that doesn’t mean it’s foolproof. Utilizing stolen credentials, hackers could use your information to reset or disable the MFA feature on the account. In addition, as often as security professionals preach not to use the same password for multiple accounts, people still do it. If you’re one of those people and you use that password on accounts that do not have MFA, they are immediately vulnerable.
Remember, Multi-Factor Authentication enhances your password security, it doesn’t replace it.
Director of Cybersecurity and Marketing
I’ve always had a love of working with technology, being fortunate enough to have grown up with a grandfather who taught me how to fix things for myself and not be afraid to jump in and get my hands dirty. Over the last three decades, I’ve worked as a technician, trainer, technical writer, and manager in small businesses, enterprise organizations, and government. In addition, I’m an author, having published multiple works available online and in print. You can find my creative work at https://WritingDistracted.com