Not All MFA Is Created Equal!

Every security person your hear these days is extolling the virtues of multifactor authentication - or MFA. And MFA is definitely important. After all, with MFA if someone gets your username and password, they still don't have enough information to get into your account. But what's less frequently discussed is that the various MFA types are not created equal. We'll cover the three most common types of MFA, less in the context of good/better/best. . .and more of a avoid/OK/best.

SMS - AVOID

One of the first attempts at MFA was using SMS text messaging. That is when you log into a site, they send you a code via a text message, then you enter the code on the site to complete the login. The problem with this is that text messaging is pretty insecure. Just google "sms MFA not secure" and you'll find tons of stories about how easy it is to compromise SMS messaging to access the MFA codes (and the rest of your texts). Consider this option to be only a tiny bit better than not having MFA at all.

Notifications - Just OK

Another common method for the third factor of authentication is to set up an authenticator app on your phone whereby when you enter your username and password on a website, the site sends a signal to the app on your phone prompting you to approve or deny the login attempt. Your phone then sends a signal back to the website with your choice and allows or prevents the login from going forward. This is definitely a step up from SMS. The communication between the website and your phone is secure. But it's the process that's the problem - because it ignores human nature. We've become so conditioned to clicking on the first thing to make a dialog box go away that we may not be making good security choices. And even if we are vigilant, MFA fatigue is very real. Indeed, Uber was breached last year by someone who bought an Uber IT worker's username and login info on the dark web - and then tricked the worker into approving a login. Additionally, how many times would you have to be prompted to approve a sign-in request before you finally just gave up and let it go? Better than SMS? Absolutely. But definitely susceptible to the weakest link in the security chain - humans.

One-Time Passcodes - MUCH Better

Set up similarly to Notifications, temporary one-time passcodes - or TOTP - are set up using an authenticator app on your phone. But instead of the website sending you a request to approve the sign-in, TOTP uses a rotating 6-digit code. These codes change every 30 seconds and are kept in sync between the authenticator app and the website. So when you log into the website, you need to enter your username, your password - and the rotating 6-digit code from your authenticator app. While I can't say that anything is fool-proof, TOTP presents a much better security option than Notifications or SMS.

Coming Soon - Passkeys

In early 2022, Apple Google, and Microsoft joined with the FIDO alliance to work on removing passwords altogether for user authentication. In June, Apple announced their implementation of this standard called Passkey. Passkeys will be supported on macOS Ventura, iOS 16, and iPadOS 16. It's still very early days but this is something we'll definitely be keeping our eye on.?