Not everyone adopts multi-factor authentication (MFA) to secure their accounts. Many stick with simple username and password combinations despite the weaknesses of this authentication method.
Yet if someone wanted to enable MFA, which option should they use? Each MFA option suffers vulnerabilities and creates user friction, so IT managers need to select the MFA option that best suits their users and their security concerns.
The Problem with Passwords
Passwords are the most common method of authentication. Unfortunately, most implementations tend to be weakened by poor human habits and old technology standards.
The standard minimum is to require eight-character passwords with complexity, where complexity consists of a mix of upper and lower case alphabet characters, numbers, and special characters. However, brute-force hacking has reached the point that seven-character passwords with complexity will be brute-forced nearly immediately and eight-character passwords merely take one hour to crack.
As if their crackability wasn’t bad enough, many attackers already have the passwords and don’t need to apply brute-force attacks. LastPass surveys estimate that 44% of users use the same or similar password, despite knowing it represents a security risk.
SpyCloud observations found that this reuse tends to be exploited. Nearly 60% of data breaches in 2020 involved reused passwords, and this number increased to 76% for breaches for employees of the Fortune 1000.
Using two or more authentication methods becomes two-factor (2FA) or multi-factor authentication. MFA use can be a hassle for users and is not universally adopted.
Microsoft finds that only 22% of its Azure Active Directory customers used MFA to secure their accounts in 2020 and only 11% of their enterprise cloud users overall. Of 1.2 million Microsoft enterprise accounts compromised in an average month, 99.9% will not have MFA enabled.
However, MFA has been widely shown to be effective in dramatically reducing compromise. After Google enabled 2FA automatically for 150 million users and 2 million YouTube creators, it documented a 50% decrease in account compromise.
Authentication can be set up via one of four categories:
- Something you are: Biometrics, such as facial recognition, thumbprint, voiceprint, etc.
- Something you have: A specific device like a computer, iPad, or phone; a device generating a code like Smart Cards, ID badges, keys, token devices, etc.; and an app tied to a device such as Google Authenticator
- Something you know: Password, passphrase, etc.
- Somewhere you are: IP address or geographic region
Since username and password tends to be one of the forms of authentication, using one or more of the other methods would be the second type of authentication.
In general, each classification of MFA may suffer one of three potential issues:
- Setup difficulties
- Stolen credentials
- Corrupted credentials
Something You Are
Something you are generally uses biometrics. Biometrics continue to increase in adoption, but many web applications and hardware devices do not support biometrics. Setup difficulties typically include the need for specialized software or peripherals, which may have flaws of their own.
Biometrics are the most resistant authentication to credential theft; however, biometrics can be vulnerable to involuntary authorization. For example, if a person is using a fingerprint biometric for their phone, an expert hacker in a different country would not be able to easily steal that person’s finger through the internet, but their six-year-old child could easily access the finger while they sleep.
Biometrics can also be susceptible to corruption due to physical trauma. For example, voice recognition may fail after a user suffers a stroke, or scarring from an accident could cause fingerprint recognition to fail.
Something You Have
Something you have is one of the older forms of MFA and enjoys wide adoption. This category of authentication includes:
- USB peripherals and physical security tokens
- Apps on phones (that prove you have the phone)
- MAC address white listing or certificate authentications for authorized hardware
Unfortunately, newer web apps will not support all forms of this authentication due to licensing costs, and sometimes setup will also need to be done on an individual basis, which creates scaling difficulties for larger organizations.
Physical tokens, peripherals, phones, and computers are difficult for hackers to steal through virtual means. However, this difficulty does not eliminate the issues of theft or replication in specific circumstances. For example, someone with physical access can walk away with a USB authenticator, or a hacker can break into a badge administration database and replicate badges.
Something you have also tends to be vulnerable to human error because people regularly forget their keys, badges, or USB token devices. For traveling employees, it is also quite common to leave behind their phone or laptop in taxis, restaurants, hotels, or on airplanes.
Something You Know
Something you know is usually the basic authentication method of a password for a given user ID and is the most common and easiest to set up. This is the most simple and common authorization to deploy and, in theory, is the least susceptible to theft since cyberattackers cannot reach into our heads.
However, in practice people have crowded and forgetful minds, which makes this authentication method easily corruptible and leads to compensating methods that lead to credentials theft. As noted above, people often reuse passwords to make recall easier, and many others use simple passwords or write passwords down on paper.
Using complex passwords or pass-phrases of more than 12 characters is not always supported, and many organizations have not adopted password managers to help their employees manage their passwords. Additionally, while password encryption may be defined as a best practice, many organizations fail to protect passwords properly until after they have been breached, so this category will likely remain vulnerable for some time.
Somewhere You Are
Somewhere you are will not always be listed as an option for MFA, but it is possible to whitelist IP addresses or limit access to certain geographic areas. This method has not been widely adopted and will not often be an option available for web apps.
Geographical location cannot be stolen, but it can be spoofed. Malicious attackers can use VPNs to make it appear that their computer is located somewhere else. However, it is much more difficult to spoof an IP address.
While geographical location will not be corrupted, it can be rendered invalid by travel. IT managers often decline to enable this type of authentication for executives and sales reps that must regularly visit clients. Since it will be difficult to obtain IP addresses and geographic itineraries in advance, managing somewhere you are authenticating can become burdensome.
With the rising adoption of MFA, attackers have developed counters. Currently attackers seek to use man-in-the-middle attacks or credential-stealing malware as the most common methods to obtain MFA credentials from the victim.
The weakest link remains the user. People can be tricked into downloading malicious software through phishing or even through malicious apps. These attacks steal MFA codes, authentication certificates, or authentication cookies from browsers to provide access to the attacker instead.
This method can be difficult to counter with technology. Still, the same methods used to educate users about phishing attacks would apply to most scenarios and should be pursued.
Commonly deployed through phishing, the man-in-the-middle (MITM) attacker creates a look-alike resource, such as an email service login page or a phone call from a customer service representative, that seems genuine to the victim. The fake resource will duplicate the expected processes of the actual resource and will pass through credentials to the genuine resource to trigger the MFA prompt.
Once the MFA authentication is routed to the user, the victim delivers that authentication code to the attacker through the fake resource. Using the intercepted code, the attacker can then execute a take-over of the genuine resource.
The most dangerous MITM attack exploits common SMS text authentication commonly used to provide 2FA for accessing checking accounts, brokerage accounts, Gmail, etc. Attackers execute SIM swap attacks to fraudulently redirect the phone calls and texts to a phone in their control.
Similar MITM or reverse proxy attacks can easily occur with slight modifications for email, apps, or even certificates. Fortunately, this attack can also be countered.
Microsoft has implemented MTA Strict Transport Security (MTA-STS) support for Exchange Online to counter MITM and downgrade attacks. RADIUS servers can also be used to ensure communication between devices only occurs between pre-authorized devices and pre-authorized servers.
Still a Good Security Option
Despite the presence of potential attacks and weaknesses, MFA should be added to security stacks as often as possible. Google and Microsoft proved that adoption of MFA dramatically reduces the number of successful attacks.
Each user, each resource, and each organization will have limitations and preferences when it comes to specific types of MFAs. IT managers need to push towards higher security as they walk the line between insecure accounts and frustrated employees. With so many options, they can select an MFA that will not be excessively burdensome to the users and will also reduce risk to the organization.