Andrew Roderos

If you haven’t been living under the rock these past few years, you’ve probably heard of multi-factor authentication (MFA) or two-factor authentication (2FA) by now. In the last few years, MFA has gained enormous popularity in companies that are improving their cybersecurity posture.

Before we delve into MFA, lets define what is authentication. In simplest terms, it is a process to confirm if someone is in fact who they say they are.

A lot of people make mistakes that the combination of username and password is authentication. However, it is actually a combination of identification (username) and authentication (password). The username is used to claim an identity, while the password is used to verify the identity.

Authentication factors

There are three basic methods of authentication:

Type 1: Something you know – password, PIN, etc.
Type 2: Something you have – smart card, hardware token, smartphone, etc.
Type 3: Something you are or something you do – biometrics, signature, keystroke dynamics, etc.

Out of these three methods of authentication, Type 1 is the weakest and Type 3 being the strongest. Malicious actors, however, can still bypass some of the Type 3 authentication factors. For example, some fingerprint readers can easily be fooled by a duplicate fingerprint on a gummy bear candy¹.

Single-factor authentication (SFA)

As the name implies, single-factor authentication only requires one method of authentication. For many years, accounts for our email, web, social media, etc. were protected by this single form of authentication.

For a time, passwords were enough to secure the accounts. However, as cybercriminals become more successful in stealing credentials, it became clear that passwords alone were no longer enough to protect accounts.

Multi-factor authentication (MFA)

As you might have guessed, multi-factor authentication requires at least two methods of authentication. It can be a combination of any two or perhaps all three of Type 1, 2, and 3.

The use of two methods of authentication is called two-factor authentication (2FA), which is a subset of MFA. 2FA is the most popular method that is currently available on a lot of websites, applications, etc.

The concept of multi-factor authentication is not new. In fact, you’ve probably been using it but didn’t realize that you were. If you’ve ever withdrawn money from an ATM, then you’ve used MFA.

Withdrawing from an ATM requires you to present two forms of authentication: something you know (PIN) and something you have (debit card). Satisfying these two requirements will give you access to withdraw money from your account – assuming you have sufficient funds.

Importance of MFA

52% of the users have reused the same passwords

Protecting accounts with passwords has been unsuccessful for many years. A lot of people use easily guessable passwords for their accounts and in some cases have them written down within an arm’s length. The reuse of passwords across multiple accounts is also common. In a Virginia Tech University paper, they found in a study that 52% of users have reused the same passwords or modified existing passwords instead of coming up with something new². What’s worse is that these users are also using the same passwords for their personal and work-related accounts.

Password reuse creates huge risks and undermines security for both individuals and businesses. Some organizations are starting to offer free password manager software to their employees to combat this issue. This is a way of potentially arming their employees with the ability to practice good security in both their personal and professional lives.

The use of a password manager helps immensely in improving password security. It allows users to create unique and strong passwords without memorizing them. In fact, a few weeks ago, there was a data dump of 2.2 billion accounts³. Stolen credentials from personal accounts could be used to try and compromise business accounts as well.

81% of hacking-related breaches leveraged either stolen or weak passwords

There have been many instances where cybercriminals successfully acquired account credentials. In fact, according to Verizon 2017 DBIR, 81% of hacking-related breaches leveraged either stolen or weak passwords⁴. Reducing this number by implementing MFA solutions should be one of the top priorities of companies.

Common MFA methods

There are many approaches to MFA that companies take. Unfortunately, some of the approaches are weaker than others. We’re going to examine the most commonly used MFA methods.

OTP hardware-based

OTP-based hardware tokens, also known as security tokens or hard tokens, are one of the oldest MFA methods that are still in use today. RSA SecurID was very popular back in the early 90s.

There are drawbacks in using hardware tokens. Since they are small devices, they can be lost, stolen, or forgotten. When this happens, users won’t be able to access their accounts.

This scenario brings another disadvantage of hardware tokens. It can be hard to manage since it costs money to replace and logistics of delivering the hardware token.

The possibility of key extraction from a hardware token is another downside⁵. Additionally, cybercriminals can target manufacturers to steal information that could be used to compromise the security of the hardware tokens⁶.

OTP software-based

OTP-based software tokens are one of the most deployed MFA methods. It is very much the same as hardware tokens, but more convenient and less expensive. Assuming that users have smartphones – not everyone has one⁷. Instead of carrying another device, the user installs an app on their smartphone. The app generates six-digit passcodes for authentication.

Same as the hardware token, there are drawbacks to OTP software-based token. Smartphones get lost, stolen, or forgotten. In contrast, users are less likely to forget their smartphones at home than lose a hardware token. One can assume that users are more attentive with their smartphones than they may be with a hardware token.

Another thing to consider is the reliance on a smartphone’s battery life. Users won’t have access to the app to get their codes when smartphones are out of battery. It is also true that OTP-based hardware tokens also run on batteries, but their batteries can last anywhere from five to ten years.

Similar to hardware tokens, the seed value (or secret key) on a software-based token is vulnerable to theft, but in this case by smartphone malware or malware on the server. When malicious actors get a hold of the seed value, then they can replicate this to their own smartphone.

Both hardware and software tokens can suffer from a MITM (man-in-the-middle) attacks. To describe this attack, imagine a cybercriminal creates a fake bank website. Then launches a phishing campaign that entices users to give up their credentials including OTP. The server captures everything and passes your credentials to the real website. If done right, the server will maintain the session until the attacker is ready to make fraudulent transactions.

OTP SMS-based

Receiving one-time passwords (OTP) SMS (or text message) is another popular MFA method – possibly the most popular. With this method, upon successful first-step authentication, the user receives an SMS message with a random code.

Sometime in 2016, NIST (National Institute of Standards and Technology) seemingly deprecated SMS-based authentication but eventually softened their stance in the SP 800-63B (Digital Identity Guidelines) document⁸.

The key takeaway is to verify that the OOB (out-of-band) device is uniquely tied to a device. This means that users should not use VoIP-based services (Google Voice, for example) to receive passcodes.

While it is still acceptable to use OTP via SMS per NIST, it doesn’t mean users should keep using it. There are vulnerabilities in using this method such as SIM swap, SS7 (Signaling System No. 7) vulnerabilities, etc.

To highlight the insecurity of using this method, one virtual currency investor lost around $150,000 after the cybercriminal took control of his phone number⁹. Another instance where SMS-based 2FA was ineffective to protect the account was when Reddit got hacked via SMS intercept¹⁰.

Push-based notification

This method is taking the best of both worlds from SMS-based and mobile-app based MFA. The main advantage of this method over others is the balance between security and convenience.

The push-based method has been gaining popularity in the enterprise. In fact, Cisco Systems invested $2.35 billion to acquire Duo Security, an industry leader in the MFA space¹¹.

The beauty of this method is that when the user sees a push notification, the user can choose to allow or deny the authentication attempt. If it was the user who initiated the authentication attempt, then it gets approved. Authentication attempts not initiated by the user can be rejected.

Push technology, in theory, is a more secure method, but it doesn’t mean it is immune to attacks. One possible attack is by social engineering. Imagine a cybercriminal gets a hold of a user’s credential and tries to access the account. When the cybercriminal is ready to send the push, he/she can call the user impersonating a trusted entity such as an IT personnel convincing the user to accept the push.

Universal 2nd Factor (U2F)

Google and Yubico initially developed U2F, but now it is an open authentication standard supported by the FIDO (Fast IDentity Online) Alliance. It aims to provide strong second-factor authentication while also enabling users to quickly and securely access websites.

When a user wants to authenticate to a website (that the U2F is registered), the user will need to insert the USB token as the second-factor authentication. It is not vulnerable to phishing attacks, session hijacking, and MITM attacks.

Same as the OTP-based hardware token; however, it can be forgotten, lost, or stolen. It can get costly when supplying or replacing these tokens to all employees in large organizations.

Conclusion

While MFA is not perfect, it is still better than not having it at all. Our recommendation is to enable it wherever possible. Especially, when it comes to systems, websites, or applications that contain sensitive data.

When choosing an MFA method for your organization, you must strike a balance between security and convenience. The MFA strategy must be easy to use and sustainable. Without these factors, users may find ways to circumvent it, which in turn undermines the security provided by the second-factor authentication.

NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.

You might also like to read

How to improve your cybersecurity

______________________________________________________________________________________________________________________________
¹ Passwords: 4 Biometric Tokens and How They Can Be Beaten
² The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services
³ 2.2 Billion Accounts Found In Biggest Ever Data Dump — How To Check If You’re A Victim
⁴ Verizon 2017 Data Breach Investigation Report
⁵ Efficient Padding Oracle Attacks on Cryptographic Hardware
⁶ RSA breach leaks data for hacking SecurID tokens
⁷ Smartphone penetration rate
⁸ Questions…and buzz surrounding draft NIST Special Publication 800-63-3
⁹ Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency
¹⁰ We had a security incident. Here’s what you need to know.
¹¹ Cisco Completes Acquisition of Duo Security