Breaking Down Multi-Factor Authentication

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication (MFA) allows you to add an additional layer of security to your authentication process. There are two parts to a traditional authorization setup: A username and a password. We generally assume that your username is known to an attacker, since it is the most public piece of information. Many usernames are displayed by default, such as users on forums, or can be derived by combining a target’s first and last names. That means that the password is the first piece of private information by which a user’s identity can be confirmed.

How does MFA work?

MFA adds another piece of private information (another factor) to the authentication process. There are a handful of different secondary security factors:

  • Something you know, such as a password or PIN
  • Something you have, such as a device
  • Something you are, such as biometric information

So, when you enter your username and password, your MFA service prompts you to check for one of those additional factors. If you do not respond, or provide an incorrect response, it will not allow you to move on. That’s why for many users, MFA just means “another button I have to click to log in.”

How does that make my account more secure?

By requiring you to verify your identity every time you log in, MFA puts another obstacle in the path of an attempted attack. Combining two pieces of information is difficult enough; finding a third makes the task even harder. When the third is also a piece of private information to which no one else has access, it means that every time you log in you prove your identity beyond the ability of most attackers.

Not All Factors Are Equal

The strength of a factor relies on how difficult it is for an attacker to acquire it. The most basic second factor includes PINs, passwords and one-time use codes that you know or retrieve. Since they are just information (something you know), all an attacker has to do is learn that information. A device or physical key (something you have) is more difficult to acquire, since the attacker would not be able to simply learn them. They are still vulnerable to theft or loss though, which makes biometrics (something you are) the most secure factor. While it is still possible for an attacker to overcome biometric security, it is the most difficult type of factor to acquire.

What Are the Weaknesses of MFA?

The goal of improving security is to make a successful attack harder, not impossible. Like any security measure, there are ways in which MFA can be defeated. It is important to keep these potential flaws in mind when utilizing MFA in order to mitigate them and stay as secure as possible.

SMS Hijacking

Many MFA providers use the SMS network to send one-time codes to the customer’s phone on login. The SMS system has several vulnerabilities that a would-be attacker could use to redirect that message to another phone. Attacks can exploit issues with the SS7 network or simply attack the user’s phone company account to change the SIM destination of their phone number. To combat this, switch to a different factor wherever possible and keep a close eye on your cell service to prevent fraud.

Stolen Devices

If your second factor is a physical device, there is a risk associated with losing that device. In some cases, a cell phone will both be a physical factor and store a digital password. This means that if an attacker were to gain root access to the phone, they would have access to the entire account. Using cell phones as a second factor works best for services or accounts that are not directly stored on the phone.

Social Engineering (Phishing)

Even the most secure MFA installation can be breached through Phishing attacks. The most common attack uses a fake version of the target website that attempts to trick users into entering their username, password and MFA token. When the login attempt is forwarded to the actual version of the website, the phishing site picks up the user’s session token. This enables the attacker to access the user’s account without the need to have their actual username, password or other factors.

So How Do I Stay Secure?

Education

Keeping users educated on security risks is crucial to maintaining a good security posture. Employees who are less knowledgable about the basics of virtual security are more vulnerable to social engineering and phishing attacks, which are still the most common threat to large infrastructures. Education that results in more competent users also improves security hygiene and decreases operational costs.

Infrastructure

Make sure your infrastructure has been evaluated for security risks. This may include penetration testing (or pen test) or other security services from an accredited security firm. Pen tests will evaluate the overall security posture of a corporation, including the design of its infrastructure and the vulnerability of its users. Most security organizations will include a plan of action with the result of a pen test to improve security and make sure your MFA (or other authentication scheme) is adequately protecting your business.

How Do I Add MFA to My Accounts?

MFA and Personal Accounts

Many popular service accounts allow users to add a second factor to their account (see TwoFactorAuth.org for a list). The most common factors are one-time passwords delivered through SMS, email or authenticator apps. When you add a second factor you will usually receive recovery codes for use if you can’t access your one-time code. These codes should be kept in “cold storage” (a thumb drive or written down in a notebook) in order to make sure you can always access your account. Unfortunately, there isn’t a good way to use MFA with a vendor who does not explicitly support it. That’s why it’s important to keep your primary points of access (such as logging in to your computer) secure as well.

MFA and Business Accounts

Your options for MFA improve for business accounts since your company has full control over your environment. Microsoft Server supports RADIUS authentication, which administrators can configure to use an MFA server. Services such as Duo MFA provide a central point of management for your domain’s authentication. It is also possible to enforce policies for physical or biometric factors.

MFA and Green Cloud

Green Cloud enforces mandatory MFA on the Partner Portal. We support SMS, E-mail and Domain authentication for both Microsoft AD and Google Domains. Beyond that, there are various ways Green Cloud services can be configured to implement MFA, such as using a SAML Active Directory provider to authenticate logins to vCloud Director. DaaS also supports the use of RADIUS authentication.

Bottom Line: Is MFA Worth the Trouble?

Resoundingly, yes. MFA is a more secure way to authenticate users, and it is widely supported on a variety of platforms. While it has its weaknesses, when implemented by itself it solves many issues associated with password-only authentication. Supplemented by a properly-designed infrastructure and user education, MFA is a great tool to improve security posture.

Sources & Further Reading

  1. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
  2. https://digitalmedia.architecture.yale.edu/how/multi-factor-authentication-mfa
  3. https://www.intel.com/content/dam/www/public/us/en/documents/solution-briefs/multi-factor-authentication-solution-brief.pdf
  4. https://www.knowbe4.com/hubfs/KB4-11WaystoDefeat2FA-RogerGrimes.pdf
  5. https://shahmeeramir.com/4-methods-to-bypass-two-factor-authentication-2b0075d9eb5f
  6. https://opaq.com/newsroom/sms-hijacking/
  7. https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin
  8. https://threatpost.com/phishing-biggest-threat-to-google-account-security/128859/?utm_content=63113983&utm_medium=social&utm_source=facebook

Previous

Next

Submit a Comment

Your email address will not be published. Required fields are marked *