Multi-Factor Authentication: One Security Control you can’t go Without!

Multi-Factor Authentication: One Security Control you can’t go Without!

You arrive to work Monday morning after a long weekend to find this email in your inbox. 

No alt text provided for this image

Only one (big) problem: you didn’t sign in to your account over the weekend. You’ve been breached!

While it’s not possible to 100% prevent email security compromises, it is possible to drastically reduce their likelihood. 

There are three universal cybersecurity controls that should be in place at all businesses. Two of them are tech tools that can and should be used on personal accounts too. 

  1. Cybersecurity Training
  2. Password Manager
  3. Multi-Factor Authentication 

We’ve covered password managers a couple of times before. Today, we’ll take a quick dive into multi-factor authentication.

What is Multi-Factor Authentication?

Multi-factor authentication, frequently referred to as MFA, is a security control that requires users to provide a second form of authentication when logging into a device.

No alt text provided for this image

The first authentication method is typically a traditional password. The user enters it first (hopefully with a password manager!) and is then prompted to enter a one-time password as the second authentication factor. 

This password can be delivered in a number of ways. The most common way is a text (SMS) message. It can also be sent via an email or through an authenticator app.

This additional layer of authentication helps to stop an attacker from accessing the account even if the first password is compromised. Access is only granted when both passwords are entered, and the second password is generated and sent to the device of the account holder. 

This usually, depending on the method, has the added benefit of immediately notifying the user of an unauthorized sign-in attempt, allowing them to take action to resecure their account. 

Microsoft tracks hundreds of millions of malicious login attempts daily and has scored MFA as 99.9% effective.

MFA is not infallible. It can be compromised, and some methods are less secure than others.

SMS, the most widely used form of MFA, is actually the least secure method of MFA available thanks to security issues inherent in the telephone network. 

Text (SMS) Multi-Factor Authentication vs Other Methods

SMS is the most popular MFA method since it’s easy to enable and start using. It’s widely supported by a large number of companies (though not all, Disney+ is a notable exception) and convenient to use. Modern smartphones can recognize an MFA text and allow you to copy your one time password for easy use.

The problem with SMS is that it’s transmitted in cleartext and can be easily intercepted by determined attackers. SMS-based one-time codes are also phishable via open source and readily available phishing tools.

Further, phone network employees can be tricked into transferring phone numbers to a threat actor’s SIM card, allowing attackers to receive MFA one-time codes on behalf of their victims.

Want proof that this can happen? Reddit had a serious security incident in 2018 where the primary vector of attack was SMS intercept. 

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
– Chris Slowe, Reddit CTO

This is not to say that SMS MFA is awful and you should never use it. If SMS is the only form of MFA available for an account, you should definitely be using it. A worse version of MFA is significantly better than no MFA! 

You should learn from others’ mistakes though, and use a more secure form of MFA if one is available to you.  

Alternatives to Text (SMS) Multi-Factor Authentication

Authenticator Apps

Phone-based authenticator apps generate time-based codes that rotate constantly through the app. The codes generated in the app are tied to the device itself rather than your online identity. When you login to an account, you open up the application to access the code.

Authenticator apps themselves are not password protected, but cell phones should be locked down with a password and biometrics. In order to gain access to your account, an attacker would need to get the password to the account, take possession of your cell phone, crack the cell phone, and open the authenticator app. This is a much bigger task than just cracking a password and intercepting SMS!

There are a plethora of authenticator apps available. Some popular ones include Google Authenticator, Authy, LastPass Authenticator, and Microsoft Authenticator. They all have different features that may serve your needs better than others. For example, Authy has a backup feature for if you lose your phone and LastPass Authenticator integrates with the LastPass password manager. 

Security Keys

Security keys are a form of passwordless authentication. Users plug the hardware “keys” into computers like USBs and then tap them with their finger to authenticate the application they are trying to access. Hardware keys are only ideal when the user configures their account so that other account recovery options are not available at login. 

Should you use SMS or App-Based Multi-Factor Authentication?

Multi-factor authentication is a universal cybersecurity control that anyone can benefit from. It’s also one of the easiest to implement, both on personal and business accounts. 

Whatever you do, utilize some form of MFA. Some are better than others, but all are better than nothing!

Want to get great cybersecurity content delivered to your inbox? Sign up for our monthly newsletter, Tales from the Click! https://fractionalciso.com/newsletter/

Blane Erwin and Chinmayee Paunikar contributed to this article.

This article originally appeared on the Fractional CISO blog.

Mike Bellamy, MSITMS CISSP

Sr Enterprise Security Architect | Entrepreneur | Veteran

4 年

MFA is the way to go and it will play an important role in the Zero Trust security model.

David das Neves

CEO @shiftavenue ?? 75k ?? topics: ????????

4 年

Excellent article! This should be in the standard repertoire for everyone.

Aaron Bregg

Information Security Analyst - Podcast Host - CloudCon CoFounder

4 年

Love it!

Amen Rob. And there are many options. Find the right solution for you/your company. And the use of many will keep the bad guys guessing.

Lucas S.

Investigator Supreme and Master of the OSINT Arts

4 年

I need to add MFA to my probably annoying periodic password reset reminders I give to my friends and family.

要查看或添加评论,请登录

Rob Black的更多文章

  • Cybersecurity Needs Your Attention

    Cybersecurity Needs Your Attention

    December. That magical time of year when so many conversations turn to… … the pick and roll, great team defense, smart…

    3 条评论
  • Cybersecurity’s Unanticipated Benefits

    Cybersecurity’s Unanticipated Benefits

    Longtime readers of this newsletter may assume that the only professionals I ever call to my house for assistance are…

    11 条评论
  • Cybersecurity Controls – All Are Not Created Equal

    Cybersecurity Controls – All Are Not Created Equal

    The last time I bought a new pair of ski boots was the late 90s. Just to give you some sense of how long ago that was…

    4 条评论
  • Why you need a Quantitative Cybersecurity Risk Assessment

    Why you need a Quantitative Cybersecurity Risk Assessment

    You are presented with two arguments about who is going to win the Super Bowl this weekend. Which sounds more…

    3 条评论
  • Top 5 Rob & Rob Videos of 2024!

    Top 5 Rob & Rob Videos of 2024!

    I am settling into my role as the principal member of the one-man short-video sketch comedy troupe Rob & Rob. This…

    8 条评论
  • Prepare for the Cybersecurity Championships!

    Prepare for the Cybersecurity Championships!

    The NBA season kicked off last night. This year, our beloved Boston Celtics are favored to win it all, again! I…

  • Let’s Get Physical

    Let’s Get Physical

    “Dad, the house alarm went off!” This is not great news at any time of day, but it’s especially unnerving when your…

    3 条评论
  • What’s Your “After Action” Plan?

    What’s Your “After Action” Plan?

    It shouldn’t have been a problem. After all, what could possibly go wrong helping a vacationing neighbor whose plants…

    7 条评论
  • Do You Have a Golden Cybersecurity Questionnaire?

    Do You Have a Golden Cybersecurity Questionnaire?

    It’s that time of year again – my two kids head off this month to overnight camp. They had a great time last summer:…

    12 条评论
  • Don’t Ignore the Warning Signs

    Don’t Ignore the Warning Signs

    Our house is only 18 months old. At this point, few things need repairing, painting, or upgrading.

    6 条评论

社区洞察

其他会员也浏览了