Table of Contents
To increase the security of user accounts, multifactor authentication (MFA) adds a layer of protection from cyberattacks. Should a anyone phish or social engineer a user’s password, the attacker would be unable to authenticate into an account without the secondary authentication requirement. Multifactor authentication provides several options including biometrics, a security token (PIN) or a location signal.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
By using at least two of the above authentication factors, the statistical chances of an attacker having access to both components are very low. Note, however, that the protocol used to send text messages to a user—Signaling System No 7 (SS7)—was hacked and PINs sent to smartphones can be intercepted. This recent vulnerability in the SS7 protocol has led to organizations moving to other ways of using multifactor authentication using data channels. Targeted social engineering attacks have been used to convince users to divulge their PINs, giving attackers access to user accounts regardless of MFA.
In recent years, commodity phishing tools, also known as phish kits, have gained the ability to circumvent MFA. On one of these phishing sites, the attacker doesn’t just create a facsimile of the login page but uses a lookalike domain name and a transparent reverse proxy to present the victim with real content drawn from the page they expect to see. The victim logs in, seemingly as normal, allowing the attacker to intercept their MFA token and take over the account.
Because of the SS7 protocol vulnerability, many companies using MFA have moved towards sending OTP using data channels. Email is one option, but it leaves the user vulnerable should their email accounts get hacked. Using authenticators installed on the user’s device is a better option. Authenticators display PINs that a user can input into the authentication system, which serves as the secondary step during multifactor authentication.
Biometrics is a much safer option than using PINs, because this secondary authentication step cannot be intercepted. However, this method has its own disadvantages. Biometric systems are expensive and have not been perfected, making them difficult for users and companies to integrated into their systems. They’ve become much cheaper and have more widespread adoption; they're in almost every modern smartphone, and even desktop PCs have biometric authentication features such as Windows Hello, but they still cannot be integrated as easily on desktop applications.
Why Is MFA Important?
MFA was introduced when phishing and social engineering became a primary cyber-attack method. Phishing emails with malicious links, keyloggers, and requests for private credentials are a serious problem for companies and individuals. Phishing attacks that result in credential theft cost companies millions in data breaches. They also create a threat for individuals. If no MFA is included in the authentication process, an attacker with stolen credentials can authenticate into the user’s account.
Attackers use social engineering for a variety of reasons, but one of them is to convince users to divulge their account credentials. A simple convincing phone call could give attackers access to high-privilege accounts, which could then lead to a large-scale data breach. In more advanced attacks, an attacker could use a combination of phishing and social engineering to steal credentials.
With MFA integrated into an authentication system, phishing and social engineering is mostly neutralized. An attacker could phish user credentials, but they would not have access to the secondary authentication method. They could social engineer a user into divulging account credentials, but again attackers would not have access to the second authentication information.
Using secondary authentication methods is mostly effective, but attackers occasionally bypass MFA using social engineering. Attackers that target specific individuals will call them after stealing credentials to convince the targeted user into providing the MFA PIN. Social engineering would not work with biometrics, but most organizations use a PIN as the secondary authentication method. Until biometrics are more widely available, social engineering is still an issue with MFA systems that use PINs.
When Should MFA Be Used?
Any website or internal system that stores and works with sensitive data should use MFA. Without MFA added to an authentication workflow, a system accessible to attackers could be vulnerable to brute-force password attacks and credential theft. It’s an added developer expense, so some systems that don’t store sensitive data skip having MFA.
Before a developer determines that MFA is not needed, compliance regulations should first be reviewed to ensure there are no regulation violations. Some regulatory standards require MFA on critical systems that store sensitive data. Any system that stores financial data, personal identifiable information (PII), or healthcare data need MFA to authenticate into the network. MFA might not be needed internally, but administrators that authenticate remotely might need to use MFA to stay compliant.
Third-party integration options make it easier to include MFA into an authentication workflow. If the system is available to the public where an attacker could possibly authenticate with stolen credentials, MFA should be included in the workflow. Other fraud detection systems can also be used to detect brute-force attacks or stolen credentials, but the first step is using MFA to stop attackers.
Subscribe to the Proofpoint Blog