Multi-Factor Authentication: The Battle to Protect Accounts
April 22, 2020
By Alexander Rubin
Information is the most important commodity in today’s world whether for individuals or companies. Protecting that information and data from falling into the wrong hands has become an increasingly vital aspect of any business. As the methods of protection have become more sophisticated, so have the methods of the hackers that individuals and businesses are trying to protect themselves from.
One of the most popular methods of securing accounts and information from attackers is called multi-factor authentication (MFA).
MFA is a process that safeguards an account by requiring a user to input multiple factors to gain access. The factors are often broken down into “something you know, something you have, and something you are.” Something you know is a password or PIN, something you have is an electronic token or SMS code, and something you are is a biometric such as a fingerprint.
The most common form of MFA is called two-factor authentication, also referred to as dual-factor authentication or 2FA. This uses two of the aforementioned factors to gain entry into an account. A common example of 2FA is a process where a password is entered and the user then receives an SMS notification on their phone where they receive a PIN to enter in order to complete the login. The thought process behind this is simple and the added layer of security makes it extremely difficult for those who intend to do harm.
In fact, according to Microsoft, 99.9% of enterprise accounts that get hacked don’t use MFA. These hacks can be explained by two factors. First, the use of old email protocols that don’t support MFA. Second, people often create simple passwords and reuse these passwords across multiple accounts. 40% of the compromised accounts were victims of automated spray attacks that prey on the factors mentioned above.
MFA certainly has its pros: Even if one’s password is compromised, their account may still be safe; it protects sensitive data on a network, which makes each individual user less susceptible. If one is employing device-based MFA and a device is lost or stolen, the information on that device is still protected as well. There are also downsides to MFA. If a user loses access to the secondary factor used for identity authentication, they can be locked out of their account. Additionally, it takes more time to log into accounts as more steps are required. But the time spent logging in is well worth the additional layers of security.
Not all forms of MFA are created equal. As the world adapts, the threats guarded against adapt as well. Knowledge-based questions such as entering the last four digits of a mobile phone number, entering a secondary email address, and confirming the last known sign-in location are no longer the best security option. Hackers have become adept at gaining such information. Even the above-mentioned SMS code process is no longer secure, as hackers are able to gain access to your phone through a process called a SIM swap. Twitter CEO Jack Dorsey is the most notable victim of a SIM swap; hackers gained entry to his personal Twitter account using this method.
In order to best secure accounts, MFA should be employed using secondary factors such as authentication apps that send users a one-time code or employ use of biometrics such as a fingerprint. The safest option may be three factors; the likelihood of someone gaining access to all three factors is small, thereby protecting user accounts even more. Luckily many major service providers already give users the option or even require the use of MFA. If any individual or company has not started protecting their accounts in this manner, it may be time to start.
PRTS Intelligence Newsletter - Q2 2020