Multifactor Authentication, or MFA, is an extra layer of security that is used to protect your online accounts. It requires you to provide a second method of authentication, if not more, in addition to your username and password. These two or more methods can include a one-time code sent to your phone or email, a phone number, or an “Approve” on-device prompt, or even more of them. In this blog post, we will discuss what MFA is, how it works, how effective it is, what its most common cyber threats are, and what are some of the best practices to help protect against them.
What is MFA?
MFA or Multifactor Authentication is the process where you are granted access to a system only after successfully presenting, in addition to your username and password, a second factor or some additional factors of authentication. These two or more factors can include a one-time code sent to your phone or email, an “Approve” prompt to accept, or more of them, such as a physical security key. MFA is used as an extra layer of security for online accounts, such as email, social media, or banking.
MFA makes it very difficult for attackers, even if they have compromised your password, to also compromise your chosen two or more factors of authentication. Whereas MFA or Multifactor Authentication requires at least two or more factors of authentication, 2FA or two-factor authentication requires exactly and only two factors.
How does MFA work?
Adding two or more authentication steps to access your online accounts can be either one or more of the following:
- A one-time code generated by an app on your phone and that you enter when prompted after entering your username and password.
- A call or text message (SMS) with a one-time code that you enter when prompted after entering your username and password.
- An email with a one-time code that you enter when prompted after entering your username and password.
- An “Approve” notification received onto your phone.
- A security physical key plugged into your device.
These are the most common methods, but MFA can also come in the form of a software token, which consists of a randomly generated code that changes every 30-60 seconds. Tokens are often provided as part of a password or token manager application.
How effective is MFA?
In a 2019 article, Microsoft stated that turning on MFA on your online accounts could block off 99.99% of automated attacks, and that MFA is “the best thing you can do to secure your accounts” after using a strong password. The reason for this is that MFA makes it very difficult for attackers to gain access to your online accounts, even if they have your password, as they would need to also compromise your chosen second or additional factors of authentication.
However, in its 2020 Data Breach Investigations Report, Verizon found that MFA, while still being an effective security measure, is not used as often as it should be. The report found that password breaches accounted for 77% of all cloud password account breaches, citing the use and reuse of weak passwords as the main cause. This means that MFA, while very effective, is not used as often as it should be.
This is where MFA can help.
A 2019 Google Security Blog research showed that the mere addition of a recovery phone number to a Google account effectively blocked up to 100% of automated attacks, 99% of bulk phishing attacks, as well as 66% of targeted attacks that occurred during the research. The research also revealed that none of the users who solely used a security key had their account compromised through a phishing attack, proving that a security key as part of MFA could be the strongest protection against phishing.
What are MFA’s most common cyber threats?
SIM card swap
A SIM card swap attack is a type of account takeover attack in which an attacker, after stealing some of your sensitive information, uses social engineering to convince your mobile service provider to reroute your phone calls to a smartphone under their control. This new smartphone has a SIM card containing your sensitive, which he obtained through other attacks or purchased them on the Dark Web. The attacker then receives the text messages or MFA codes to access the targeted accounts. In 2018, an A&T SIM-swap attack resulted in the loss of over $24 million worth of cryptocurrency from various accounts.
Website manipulation is when an improperly designed website allows an attacker to bypass the login pages and MFA prompts to directly access the user’s account. This is done by manipulating the website’s URL or by taking advantage of a vulnerability in the website’s code, which includes Cross-Site Scripting (XSS) and session hijacking attacks. This technique was used in the 2017 Dropbox breach, in which over 68 million user accounts were compromised.
This type of threat is executed when an attacker uses deception tactics to trick the targeted users into revealing confidential information or granting them access to systems. MFA can be bypassed if the attacker is able to successfully social engineer their way around it, for example, by calling the victim pretending to be from customer service and asking for their verification code. Social engineering attacks are often successful as they exploit human weaknesses, rather than technical vulnerabilities.
What best practices can help protect against MFA threats?
Besides our suggested top password best security practices, here are some MFA best practices that can help protect against MFA threats:
Implement MFA across the enterprise
Make MFA mandatory for all employees, rather than just those in sensitive positions. MFA should be implemented for email, social media, cloud storage, and other accounts that contain sensitive information. Some basic employee training on MFA can help implementing it more effectively. In addition, MFA can be enforced through technical controls such as Single Sign-On (SSO) policies, allowing a user to log in with a single ID to several related independent systems.
Choose strong MFA methods
There are many MFA methods available, ranging from something you know (e.g., a password or PIN), to something you have (e.g., a security key or smartphone), to something you are (e.g., a fingerprint or iris scan). The strongest MFA methods are those that use two or more factor types, such as a password and security key. Other strong MFA methods can include biometrics, USB tokens, or smart cards.
Use MFA for high-risk accounts
Ensuring MFA is used for any of your accounts is great practice, but also making sure that the less tech-savvy members, especially in top management positions, are using MFA for their high-risk accounts is even better. MFA is an important defense against account takeovers, which can lead to identity theft, financial loss, and damage to your reputation.
MFA is a great security measure in itself to help protect your online accounts from cyber threats. But any technology alone is not enough to keep your systems and data secure. Your MFA security effort should be part of a layered security approach, including other security measures, such as strong password policies and employee cybersecurity awareness training. To keep MFA as secure as it can be, you also need to review your MFA best practices to stay ahead of the latest threats. To that end, regular penetration testing of your systems for MFA attacks and other sophisticated attacks will help you maintain a well-balanced, business-driven, and mature cybersecurity approach.
Contact us if you need help improving your enterprise security.