Clark Computer Services

Let's Talk About MFA
(Multi-Factor Authentication)

Chuck's Cyber Wall

Some of us are very familiar with MFA (Multi-Factor Authentication). It is a method of security that requires a factor in addition to a password to complete a login. As if a having a strong password is not enough, now we’re being asked to use an authenticator or have codes texted, emailed, and phoned to us, or worse – having to carry around a small USB device, as a secondary form of identification.

Why is this necessary? 

Well, because using MFA virtually eliminates the threat of credential theft. Please, read that line again. Seriously, it’s true. No single technology in the past two decades has provided as much credential security as MFA. If you are not currently using it on any account with access to your personal and financial information, you are putting yourself at risk.

How MFA Works

The vast majority of Phishing attacks attempt to steal your credentials.

Since Google started requiring MFA for it’s 85,000+ employees in 2016, they have not experienced a successful credential Phishing scheme. There are so many Phishing scams going on right now, that cyber security officials have reached a point where they need to be careful about which scams they reveal to the public in order to avoid making people numb to the threat. We are all preaching awareness, but as the threats continue to grow and get more complex, we’re seeing people throw their hands in the air and give up.

Instead of becoming more vigilant, they begin to turn a blind eye to it.

Let's Talk About MFA for Better ecurity | The Clark Report | Lets Talk About MFA multi-factor authentication

This is how hackers win. The collective WE can’t let that happen because these hackers ruin lives, and MFA is a great way to turn the tables on them.

As the name implies, Multi-Factor Authentication adds a requirement beyond a password in order to gain access to accounts, websites, email, etc. This secondary verification requirement means that even if a hacker manages to get your user name and password, they still can’t gain access to your accounts. Utilizing this one security protocol nullifies the success rate of the most often employed Phishing threat.

Let's Talk About MFA for Better ecurity | The Clark Report | Let's Talk About MFA virtual lock

Can it be a little inconvenient? Yes.

I use three different MFA authenticators for 11 business apps, such as Office 365, website administration, VOIP service, etc, and for 17 personal apps including email, banking, and social media programs like Facebook, Instagram, and Twitter, etc. Every time I log in from a new device – or after 30 days – I am required to re-authenticate with my password and a one time code provided by the authenticator.

Sure, I resisted at first, complaining that it slowed me down. But does it really?

It takes as much time to access the authenticator and type in that one-time passcode as to open Facebook and respond to a meme with a laughing emoticon. The inconvenience is slight, at best, and when compared to the benefit MFA offers, it is absolutely worthwhile.

Types of MFA

Up at the top, I mentioned a variety of ways 2FA could be used. The reason that there are so many option is to try to find a method that appeals to the greatest number of people. Whether you are tech savvy or utilize technology only when you must, there is a method of 2FA for you.

Authenticators

  • Microsoft Authenticator – free, easy to use, and works for almost every app out there, and offers push notifications
  • Google Authenticator – also free and works with almost every app and has iOS support, but the initial setup can be tricky
  • TOTP Authenticator – free and really basic, but offers cross-platform support for iOS and Android and cloud syncing
  • SAASPASS – an authenticator with a lot of options and works on virtually every platform available from Android to iOS to Blackberry to Windows
  • 2FA Authenticator – free and very basic app without a lot of customization, its simplicity makes it a popular choice
  • LastPass Authenticator – free, lots of features – including push notifications, and integrates with LastPass Password Manager
  • Duo Mobile – in addition to the popular apps, this one supports a lot of third party apps that others don’t, and includes its own push notifications.
  • Authy – free and works similarly to Microsoft and Google, and offers push notification and device syncing so you can have it on your phone and tablet

There are others, but these are the most popular and best rated.

We would be remiss for not mentioning that there are some vulnerabilities to authenticators related to the smart phones themselves:

  • A smart phone that doesn’t have some type of lock security feature leaves the authenticator vulnerable
  • Smart phones can be sim cloned – meaning a hacker can make an exact copy of it, including the authenticator
  • If the battery dies, the phone breaks, or it is lost, the authenticator will be inaccessible
Let's Talk About MFA for Better ecurity | The Clark Report | Lets Talk About MFA multi-factor authentication
One last note about Authenticators, during setup, you are given the option of scanning a QR code – that you can take a picture of with your camera – or a code to manually enter. We recommend that you always manually enter the code. Although not quite as simple, you are only required to enter the code once to set up the app, and the QR code could include additional permissions to your phone that are not necessary for the authenticator to function.
Let's Talk About MFA for Better ecurity | The Clark Report | Let's Talk About MFA biometrics

Biometrics

When it comes to authenticating to an account, there are four different security methods:

  • Something you know – like a password
  • Something you have – like an authenticator
  • Something you arelike finger prints, facial recognition, and iris scans – also known as Biometrics
  • Somewhere you are – we’ll discuss this in Tokens

A few years back, biometrics were hailed as the next evolution in cybersecurity. That excitement waned after the initial technologies contained flaws that were greatly exaggerated in movies and on TV. For this and many other reasons, people have been less than willing to embrace it. As the technology has improved, with people using fingerprint readers and facial recognition on smart phones, biometrics has become a standard security protocol.

Biometrics makes it possible to potentially use more than two security methods without causing more inconvenience, likely making it the next evolution in cyber security. It’s just going to come at us a little more slowly to allow us all to adapt to and better understand the technology.

Call Codes

Do you not have a smart phone? or not want to install an app on your smart phone?

The majority of programs and websites that support MFA will allow you to provide them with a trusted phone number that will provide you with passcode via phone call. You may provide either a mobile phone number or one from a dedicated landline or VOIP service, like your office phone.

The only negatives here are that the phone must be available to you in an area with service, and if you need to have that phone number changed, it can be very labor intensive and time consuming. MFA companies are going to err on the side of caution and make absolutely certain the person requesting the change is the actual account holder. To be honest, this is true of any change to a MFA system, it just so happens that phone numbers are more apt to require these types of changes.

Also, when using call codes, people often write them down. You may think that because it’s a one use code, writing it down is not an issue, right?

Let's Talk About MFA for Better ecurity | The Clark Report | Let's Talk About MFA call codes

No.

Every cyber security expert in the world recommends never writing anything security-related down, and people who get used to writing down security codes, will write down other important security information. So, if you are going to use call codes, whenever possible type them in while on the phone – you can request the code to be repeated as many times as you need.

Let's Talk About MFA for Better ecurity | The Clark Report | Let's Talk about MFA cellular tower and mobile phone

Text Code

While none of these MFA methods are completely secure, passcodes received via text messaging or SMS (Short Message System) are the most vulnerable.

Aside from requiring cell service to receive the passcodes, the messaging services that are being used are old and vulnerable to a variety of types of attack. In addition, service providers have easy access to messages in these systems as they are being transmitted between towers and SMS Centers, allowing for the possibility of insider threats that could potentially intercept these messages. Yes, this means that any text message you send from your phone has these vulnerabilities.

The nature of the single use passcodes mitigates this threat enough that there is not a great deal of concern for companies offering MFA with sending passcodes in this way. In this instance, the benefits of MFA far outweigh the potential risks of using Text Codes, but I would still recommend one of the other options listed here.

Tokens

Also referred to as a Disconnected Token, these are simply standalone authenticators. Like those listed above, the job of a Token is to provide you with an encrypted six digit passcode. After being prompted to provide your user name and password for the program or website you are trying to access, the credential manager will prompt you for the passcode.

After entering the passcode, you’re in.

Let's Talk About MFA for Better ecurity | The Clark Report | Lets Talk About MFA tokens
Although very similar in function, there are a few differences that warrant it’s own section.
  • As an independent piece of hardware, tokens are not susceptible to sim cloning (someone making an exact copy of your phone), they work in areas with no cell coverage, and account recovery is tied to a specific serial number allowing for more secure activation/deactivation
  • Many of them have built in geolocation, requiring you to be in a specific area for the code to work
    • this is used for the fourth security method – Somewhere you are
  • The security certificates stored on the device can be used to provide it with a limited operation time, requiring users to turn in old tokens and get new tokens, at the same time allowing administrators to re-evaluate the user needs and determine if the token is still necessary
There is a version of these called a Software Token, which is installed onto a digital device such as a mobile phone. They are different than standard authenticators in that they have the capability of geolocation and a limited operation time, but otherwise have the same vulnerabilities as any other authenticator installed on a digital device.
Let's Talk About MFA for Better ecurity | The Clark Report | Let's Talk About MFA security keys

Security Keys

Also referred to as a Connected Token and Universal 2nd Factor (U2F), these are standalone authenticators shaped like a USB drive that are plugged into the computer, with a button on top.  Unlike other types of authenticators, these don’t generate a code. After being prompted to provide your user name and password for the program or website you are trying to access, you will insert the Security Key when the credential manager prompts you to enter the code, and then press the button it it.

That’s it, you’re in.

Easy to use, with all of the benefits of being an independent piece of hardware, these Security Keys are growing in popularity as they speed up the secondary authentication option and have the availability of additional security features such as geolocation and a limited operation time.

Of the MFA options presented, Security Keys are one of the more attractive and the one we at CLARK prefer.

Don't Get Negligent on Passwords

“I have Two-Factor Authentication on my account, I don’t need a strong password anymore.”

No. No. No. Please don’t fall into this trap.

Let's Talk About MFA for Better ecurity | The Clark Report | Let's Talk about MFA cyber criminal image

MFA will help keep you safe if your username and password get compromised, but that doesn’t mean it’s foolproof. Utilizing stolen credentials, hackers could use your information to reset or disable the MFA feature on the account. In addition, as often as security professionals preach not to use the same password for multiple accounts, people still do it. If you’re one of those people and you use that password on accounts that do not have MFA, they are immediately vulnerable.

Remember, Multi-Factor Authentication enhances your password security, it doesn’t replace it.

5 1 vote
Rate This Post
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x