With the theft of personal information, identities, and financial data on the rise, a not so new technology can go a long way toward thwarting hackers. Multi-factor authentication (MFA) sometimes referred to as two-factor authentication (2FA) is a tool that’s readily available from most online service providers and financial institutions. Unfortunately, it may not be turned on by default. As such, users may be leaving themselves more vulnerable than needed.
A multitude of vendors and technical solutions qualify as MFA by the most basic of definitions. In its simplest form, multi-factor authentication is the use of some mechanism in addition to a simple username and password as part of the login process. It often involves the use of a physical token or a secondary device such as a cell phone to generate a code that is entered after the username and password have been verified. This is where the term two-factor comes from, referring to the second component required for login.
For a basic introduction, let’s consider two of the most common MFA solutions commercially available: phone or text factor and authenticator applications. A future post will take a deeper dive into the technical complexities, strength of security and general merits of the various MFA solutions. Let’s explore the similarities and differences between these two solutions and the benefits of each.
For starters, both solutions add a second factor or a speed bump to the login process. Although users might think this extra step is time consuming, so do the bad guys. That’s exactly why it’s so valuable. When enabled, it requires a threat actor to acquire a username, password, and to have compromised your second factor. A thief may be able to convince you to enter a username and password through phishing or other nefarious means, or even steal your information from a service provider as part of a larger data breach. But it’s unlikely they will also compromise your phone or crack your authenticator app at the same time. This valuable time can provide ample opportunity to change passwords and eliminate the threat before a compromise occurs.
A mobile device, land line or an email account can serve as the simplest form of MFA. When enabled, the service or institution being accessed will send a text message, email, or even place a phone call to a secondary device that was previously designated. This announcement will provide a multi-digit code. This exact code must be entered within a short amount of time to complete the login process. If the code is entered incorrectly or not entered within the designated time window, the authentication fails and access to the service is denied. If this happens enough times, the account may become locked. This mechanism provides an early warning if a hacker is trying to access your account. If you ever receive an MFA code that you didn’t request, use this as a clue to immediately change the password for the service that sent the MFA code.
When using this type of multi-factor authentication, care must be taken in selecting the second factor. For example, selecting a home landline number as the second factor for a business bank account that is usually accessed only from the office might not be a great idea. The second factor won’t be available when needed, and thus would serve as a poor choice. Also, ensure the second factor is separate from the service being accessed. My favorite examples of epic fails are the multitude of mobile apps that require a code from a text message to access the application. If the threat actor has your phone and can access your mobile apps, they most assuredly can also access text messages, making the second factor irrelevant. This may still be useful in situations where your mobile number has been compromised, but not your physical device. This is a sophisticated type of attack and is beyond the scope of this introductory article.
The second type of multi-factor commonly in use today is an authenticator mobile app. Many vendors make these applications and offer them for free while others charge for their apps, often claiming technical superiority and increased security for the price. Authenticators are all based on a common standard, and thus are interchangeable. It’s not advisable to pay a significant amount of money for a vendor specific authenticator. Most likely, they are charging for the same free implementation available elsewhere, or they have modified the algorithm in some proprietary way, limiting where and how it can be used. Free authenticators from Microsoft, Google, and others are adequate and comply with industry standards meaning they can be used with any service requiring an authenticator application.
Authenticators work the same way as phone or text factor solutions, in that a secondary code is provided by the app and must be entered before a time limit expires. The codes constantly rotate, making it extremely unlikely an attacker can guess the code before it changes. These applications require initial setup, usually by entering a complex registration code or by scanning a QR code. This initial setup stores a secret key that is used as part of a mathematical algorithm. When the current date and time are fed into the algorithm and your unique key is applied, a specific set of digits is returned. The digits will vary over time, making this value a “one time password” (OTP), or more specifically a time-based one time password (TOTP). These apps provide reasonable security for the second factor and are a good choice given the wide range of interchangeable apps to choose from.
For either MFA mechanism, consideration is required for situations where the second factor may not be available. What happens if the mobile phone is lost or stolen or the user is locked out of their email account?
Be sure to read the instructions for the MFA solution recommended (or required) by your application vendor or service provider. Make sure to document how to recover or reset your MFA if the device is lost or stolen. This may require contacting the service provider during regular business hours, making it very inconvenient, and thus extremely important to document the recovery mechanism at the time of setup. Another common solution is to enable secondary or even tertiary MFA options (i.e. a phone, an email, and an authenticator app). When one device is not available, an alternate can be used. A third option is the use of previously generated backup codes. These are great single use solutions to account for the broken mobile device or the authenticator app that didn’t get migrated after the new phone upgrade. The caveat here is that these codes, if allowed by the provider, are static codes and are long lived until used. Thus, they must be stored very securely to prevent them from being compromised.
In conclusion, basic multi-factor authentication is a simple way to add additional protection against accounts being compromised. Unfortunately, this often requires the user to find and enable the setting themselves within a service provider’s complex configuration menus. It is also completely dependent on choices made by the service provider (i.e. which type of MFA to support). But, with a little care and thoughtfulness up front, enabling MFA might just prevent your accounts from getting compromised.