Secur-ish: The Continuing Evolution of MFA

Passwords are for sale – everywhere.

They are notoriously easy to guess, steal with malware or phish through a variety of ways. Passwords are meant to serve as a wall of security for your data and privacy, but they serve as a low wall. Passwords – no matter how fancy you make them – are not enough. Adding complexity to your passwords, not reusing passwords, and using longer passphrases provide you with a slight advantage over the vast majority of users who do not take those measures: attackers will always go after the low hanging fruit first. The problem with passwords is that they are “shared secrets” that reside on a device and on a server – both of which can be hacked. If you are only using passwords to protect your data, you are at risk. What are your options? Enter: Multi-Factor Authentication (MFA)!

Multi-Factor Authentication (MFA) is a security feature offered by many websites, applications, and devices that dramatically improve account security by requiring multiple pieces of evidence (your credentials) when logging into an account. There are three main categories of credentials: something you know, like a password or pin number, something you have, like a security token, verification text, call, or email, or something you are, like your fingerprint, your voice, or your face. Using our wall metaphor again, MFA is like having a second and third very high, slick wall. All good, right? Safe and secure! Or maybe not…

Some MFA relies on voice calls or SMS (texting) which poses a risk. When SMS and voice protocols were designed, they were designed without encryption. Phone companies are not the best at security, and on most carriers, you can access your voicemail remotely. Your voicemail is protected by only a four-digit PIN – cake-work for any hacker. 

MFA attacks are rare, but as the technology becomes more ubiquitous and required in many verticals, attackers will adjust their strategies to overcome them. In this case, the low hanging fruit in the MFA world are SMS texts and voice credentialing. These are exceptionally easy to phish: with some basic information about the individual, you can get the pin changed. As for SMS messages, there is no way to limit delivery to just your device. Apple and Android devices even have features to view your texts on your computer or tablet easily. Your phone number can be “copied” as well, so someone else might be capable of seeing your “secure” text!

As an example, your bank may send you an authentication text that you receive on your mobile phone. Signals sent on a phone network or within radio range of your device can be intercepted. And now, that “secure” text is no longer secure! A bad actor who is targeting you can crack your password, gains access to the code and your bank account.

All is lost! Give up! Or…. Authenticator Apps vs: SMS and Voice Multi-Factor Authentication (MFA) Mechanism

This trespass can be avoided by using an app-based authenticator like Microsoft Authenticator or Google Authenticator. The codes generated are in the app itself – not over a network that can be observed and intercepted. The apps are easy to use – executives who fear poor adoption rates of employees need not be concerned: the time it takes to authenticate is less than two seconds and does not require expensive or cumbersome devices. For some work environments hardware devices may be desired and are available as a card or “key” you insert.

The bare minimum in tech security is not passwords, but rather Multi-Factor Authentication. While no protocols or apps are 100% secure, MFA when used in concert with security policies and processes, firewalls and staff training is an integral part of securing your organization. No organization should be operating without MFA – just be certain you use it in its most secure version.