Introduction
Before we dive into the world of multi-factor authentication (MFA) let’s review the concept of risk management. As discussed in our Risk and threat management article, everyone has unique threat landscape as well as risk appetite. This is normal and needs to be respected. Your threat landscape dictates what level of security precautions you need to take. While everyone needs to take basic precautions, very few need to take all the precautions. This is especially true when it comes to multi-factor authentication (MFA). There is a lot of discussion in the industry about banning certain type of MFA because it isn’t sufficiently secure for anything but most basic precautions. The fact of the matter is that even if a specific type of multi-factor authentication isn’t viable for the most security conscious around us, it is better than nothing for those that only need the most basic precautions.
Another point worth introducing is the fact that security isn’t about providing 100% guarantees, it is to put up obstacles to slow down the criminal and hopefully encourage them to go elsewhere. If someone is bound and determined to break in, and they don’t care how much time, effort and money it takes, they will eventually find a way to do just that. In cybersecurity we refer to these type of criminals as advanced persistent threat (APT). These APT groups are well funding, highly skilled, well organized and have nothing but time to accomplish their goal which is to breach a high value target. Think of the a heist movie, where a team spends months planning a major heist of a bank, a jeweler, art museum, and get away with tens of millions of dollars worth of stuff. These APT groups are often state sponsored and part of a intelligence unit such as CIA, NSA, Mosad, MI6, etc. Only a very small fraction of the population have APT in their threat models. The rest of us only have to worry about petty criminals that are lazy and would much rather rob your neighbor who doesn’t lock their door, than pick your twice dead bolted door. There are of course that middle ground where they have a sophisticated group, but not quite APT, after them. As I said Threat modeling is very personalized and comes in more flavors than there are grains of sands.
Multi-Factor Authentication
As discussed above multi-factor authentication is about creating a hurdle to slow the criminal down. Different form of multi-factor authentication provide different size hurdles but they all offer a hurdle of some kind. Just because a method offers a low level speed bump doesn’t mean it is useless.
What exactly is a authentication factor and how do you have a multi-factor authentication. Having multiple passwords isn’t multi-factor, it’s just multi-annoying. Those knowledge based questions that many think of as authentication do more to weaken your security than enhance it, it’s nothing more than prompted password with simple and easily crackable passwords.
There are three different factor types when it comes to authentication, and you need to be using more than one factor type to have multi-factor authentication. Here are the factors:
- Something you know. This is username, passwords, PIN, knowledge based questions, etc. Anything you can memorize and regurgitate.
- Something you have. This involves around being able to proof you have something that is uniquely yours. ATM card, CAC cards, YubiKey, SMS or email authentication and TOTP authenticator apps are all part of this type.
- Something you are. This is also known as biometric authentication. Fingerprint, facial recognition and iris scanners are the most common form of this factor. Theoretically, how you type, how you walk, could also be part of this factor but there isn’t a common implementation of these factors.
Like we said, multi-factor authentication you need to be using more than one of these. For example ATM card and PIN, is something you have and something you know. Facial recognition with a PIN would be another example. The most popular is two things from “something you know” (username and password”) plus “something you have” like TOTP authenticator like Google Authenticator.
All of these have their weaknesses and can be compromised, it all depends on how far the criminal is willing to go. Biometrics can be circumvented Mission Impossible style where the criminal fakes your fingerprint or iris. If the criminal is willing to abduct you, they can simply force your hand in the scanner. They could also just steal your iris or your hand. Luckily most criminal aren’t willing to go this far to breach your account so biometric authentication is fairly secure.
There are a lot of different methods to breach “something you have” based on what it is. For SMS based methods, since all you need is your phone number, you can simply redirect the phone number to a different phone and now you get the notifications. This is a fairly common social engineering tactic in the US, called SIM Swap. Don’t know how prevalent it is outside the US. Because of how relatively easy it is pull off a SIM Swap, this method gets a lot of hate from the “elite” cybersecurity personal who are trying to get this banned. Again even this provides an additional hurtle over just having username and password and not all criminals are willing to make the effort to SIM swap you, so this is better than nothing for many.
TOTP based authentication like Google Authenticators are very popular as they aren’t vulnerable to SIM swapping. However getting past this method is common through another form of social engineering, such as phishing, where the user is tricked into revealing the number on the app.
Push based authentication like Microsoft Authenticators or DUO, can also be bypassed through social engineering where the user is tricked into approving the authentication request.
FIDO based authentication devices like YubiKey or Passkey are the most secure of the bunch as they are social engineering resistance. They have to be plugged in or physically next to the computer attempting to login in order for them to work. The only way to bypass these is to physically steal them, which is more effort than most criminals want to put into their attack.
Summary
So to summarize if you enable multi-factor authentication (MFA) or two factor authentication (2FA) on all your accounts you increase the effort needed to breach your account above the level of effort most criminals are willing to do, especially if you use something more secure like YubiKey or TOTP authenticators.