Get the inside scoop on Multi-Factor Authentication
By: Karl Bickmore, CEO, Snap Tech IT
As businesses take necessary steps to shore up security in their environments, one of the most critical tools out there comes to mind as a must-have for anyone looking to keep the hackers out is multi-factor authentication. Authentication, in its simplest form, is the process of confirming that someone attempting to enter your environment is who they claim to be. Protecting your IT environment and sensitive data depends on knowing exactly who is trying to gain access.
Here’s a real-life example that illustrates authentication. When you sign into your account on a website, the website must first verify that you are the account’s owner. How do they do this? They ask about something that only you should know, usually the username and password you selected when you first set up the account. Because you set it up, there’s no way someone else could have your password, right?
Not so fast − The fact is that providing the correct login and password to gain access to a resource does not always imply that the person is who they claim to be. In recent years, user credential breaches have become much more common, so there’s a good chance that some of your username and password combinations have been compromised. As a result, depending just on a login and password to identify someone isn’t a good idea.
Multi-factor authentication comes into play in this situation.
What is Multi-Factor Authentication
Multi-factor authentication (MFA) is a security approach that requires a user to supply more than one piece of identifying information in order to validate their identity. Multi-factor authentication is most likely something you’ve already seen on some of your favorite websites. When you sign in to your banking account, for example, you may be prompted to input the code that was emailed or texted to you. You can then access your bank account after entering this code. This is MFA in action. Providing a username and password coupled with a code sent to your email is one form of MFA, but there are several other options you have for implementing MFA. Let’s take a look at a few of them.
Types of Multi-Factor Authentication
The category that you use to identify a user is called an authentication factor. In general, these identification methods fall into three authentication factor categories:
Information you know — This could be a password, PIN, personal information like mother’s maiden name, etc.
An item in your possession — A physical item you have, such as a cell phone or a card.
Unique to you as a person — Biometric data. This could be a fingerprint, retina scan, etc.
To effectively implement multi-factor authentication, best practice says you need to cover at least two of these categories.
A common scenario would be requiring a user to sign in with their username and password. This satisfies the “information you know” category. Once the username and password are provided, a text message is sent to the user’s cell phone with a shortcode. This is known as a one-time password (OTP.) This covers the “an item in your possession” category. At that point, the user will be required to type this code into the website. If the code is correct, the user will be authenticated and is able to access the website.
In this scenario, even if an attacker knows the user’s password, it isn’t enough. They’ll have to also gain access to the user’s phone to provide the one-time password.
In the preceding example, the application issued the user a one-time password code (OTP.) This is one of the most widely used multi-factor authentication methods. Let’s look at what one-time passwords are in more detail. A one-time password is a pseudo-randomly generated password that expires after a brief amount of time and is only good for one login, as the name implies. To make the authentication process more secure, one-time passwords are usually used in conjunction with a regular username and password. The one-time password that is supplied to a user is a technique to indirectly improve their credentials, even if they have a weak or reused password.
There are a few different ways to send one-time passwords to users.
Text Message or SMS ─ One of the most user-friendly methods for sending one-time passwords is through text message, or SMS. The user enters their username and password into the app, and then receives a text message with their OTP on their phone. The user can quickly copy and paste the code from the text message into the application. While this is more user-friendly than having no MFA at all, it is still not the optimal approach to give or receive one-time passwords. Believe it or not, delivering an OTP through SMS carries the risk of compromise. Here are some of the ways that an attacker can get to your OTP through SMS:
Social Engineering — An attacker who has gotten their hands on a user’s username and password may also obtain their phone number. Attackers have been found to get SMS-delivered one-time passwords by sending a text to the user telling them that they used to have the same phone number as them, and they are locked out of one of their accounts because they failed to update the phone number stated on the account. Then, the attacker respectfully requests the code that was just delivered to the user’s cell phone so that they can reclaim their account. Many people want to help the person on the other end, so they send the SMS code to them without giving it any thought.
Email ─ Another way to get OTPs is to send them to yourself via email. While this provides an additional method of accessing your account, it does have certain drawbacks:
Because of the prevalence of password reuse, it’s possible that a user’s email password is the same as the account requesting the OTP. The extra step of the OTP is worthless if the attacker already has this password.
One of the MFA requirements is that the implemented factors come from at least two of the MFA categories: what you know, what you have, and what you are. The username and password fall into information you already know, while the OTP is for an item in your possession. Ideally, an item in your possession would be your cell phone. Having access to an email account doesn’t necessarily mean that the cell phone is in your possession, as you could access your email from any device.
SIMjacking — When an attacker secures access to your cell phone number by SIM swapping, also referred to as SIMjacking. An attacker can do this in a number of ways, one of which is by convincing your cell phone provider that they have misplaced their phone and need a new SIM card activated. The attacker’s SIM card is used to activate the device. If the cell phone company agrees, the attacker will have access to all text messages, phone conversations, and other communications. So, assuming they already know your username and password, all they have to do now is type in the OTP sent to your phone number (which they now have access to,) and they’re in!
Authenticator Apps — A common way to manage OTPs is with authenticator apps. Once you install the app on your cell phone, you can set up accounts that work with the authenticator app to send your one-time passwords to that app. The OTPs will typically update every 30 seconds, so instead of waiting for an email or a text message, you simply open up the app, and you’ll always find a valid OTP there.
There is a multitude of authenticator apps options. Duo, Authy, and Google Authenticator are three of the most popular. Receiving one-time passwords is a breeze with an authenticator app. Unlike SMS, an attacker cannot gain access to your authenticator app just by knowing your phone number or text messages. If someone gains access to your email account, they won’t be able to steal your one-time passwords.
There are downsides to authenticator apps. Some users may find it a big hassle to download a new app and set up all of their accounts on it to receive one-time passwords, particularly when it’s much easier to enter a phone number instead.
Another challenge is that if you lose your cell phone, gaining access to MFA-enabled accounts can quickly become extremely difficult. Most popular authenticator apps now include built-in security features, such as key backups. You must generate a strong password to encrypt your OTPs in order to enable backups. If you ever lose your phone, you can download the authenticator app and enter your password to decrypt your keys on your new phone.
Find out if your email address has been part of a password breach
Take a look at the popular website haveibeenpwned.com if you need any more convincing about the importance of multi-factor authentication. Data regarding password breaches is collected on the website. You can check if your email address has been involved in any publicly known data breaches by typing it in. So, even if you have a strong password, you’re trusting the websites you visit to keep your password safe, which often, doesn’t happen.
While you’re thinking about it, go through your critical accounts and make sure MFA is activated. No one wants to face the consequences of having their credit cards canceled, their money taken, and their passwords reset because their bank account was hacked because of poor credentials. Be sure to stay one step ahead by safeguarding your accounts with the tightest security possible.
Now that you’ve learned a bit about multi-factor authentication, how hackers can get into your systems the best ways to manage security, you may be wondering what threats are at work in your environment. Find out what security gaps you currently have so that you can stop the threats in their tracks with a no-cost self-assessment. Tell us what you find….we’re here to help!