To increase the security of user accounts, multifactor authentication (MFA) adds a layer of protection from hackers. Should an attacker successfully phish or social engineer a user’s password, the attacker would be unable to successfully authenticate into an account without the secondary authentication requirement. Multifactor authentication provides several options including biometrics, a security token (PIN), or a location signal.
How Multifactor Authentication Works
MFA was introduced as computing power has made it faster to brute force passwords. Current computing power allows an attacker to send millions of brute-force attempts per second at a user’s encrypted password. When quantum computing is finally introduced, basic passwords with even the strongest encryption libraries will be rendered obsolete.
Another problem with current password workflows is reuse of the same passwords across multiple systems. It’s impossible for users to remember unique 10-character passwords on dozens of systems, so they will often use the same one on multiple platforms. If an attacker can steal the password of one account, it’s possible for the same attacker to breach multiple platforms. Password vaults offer a way for users to store multiple passwords without memorizing them, but breaching a vault creates the same vulnerability.
To neutralize brute-force password attacks and phishing, MFA was introduced. The way MFA works depends on the secondary authentication requirement, but the basic functionality is the same. Users are given an account username and password. These two authentication components are standard for most systems. When MFA is integrated into the process, a secondary authentication requirement is presented to the user during the workflow.
The most common method in MFA workflows is an access token, usually a one-time password (OTP) sent to the user’s smartphone using text messaging. A personal identification number (PIN) sent to the user’s smartphone is the most common way to add MFA to the authentication process. Most users have smartphones, so it’s a way to ensure that users will be unable to use the MFA system.
Multifactor authentication factors must include at least two of the following components:
- Something the user has: The user could have a physical key, USB device or bank card to identify themselves.
- Something the user knows: Generally, this is a memorized password but can be any input only known to the user.
- Something the user is: Biometrics such as fingerprints, voice or eye iris can distinguish user identity.
- Somewhere the user is located: Signals from user devices such as GPS location identify that the user is near the system.
By using at least two of the above authentication factors, the statistical chances of an attacker having access to both components are very low. Note, however, that the protocol used to send text messages to a user – Signaling System No 7 (SS7) – was hacked and PINs sent to smartphones can be intercepted. This recent vulnerability in the SS7 protocol has led to organizations moving to other ways of using multifactor authentication using data channels. Targeted social engineering attacks have been used to convince users to divulge their PINs, giving attackers access to user accounts regardless of MFA.
Because of the SS7 protocol vulnerability, many companies using MFA have moved towards sending OTP using data channels. Email is one option, but it leaves the user vulnerable should their email accounts get hacked. Using authenticators installed on the user’s device is a better option. Authenticators display PINs that a user can input into the authentication system, which serves as the secondary step during multifactor authentication.
Biometrics is a much safer option than using PINs, because this secondary authentication step cannot be intercepted. However, this method has its own disadvantages. Biometric systems are expensive and have not been perfected, making them difficult for users and companies to integrated into their systems. They’ve become much cheaper and have more widespread adoption (e.g. smartphones), but they still cannot be integrated easily on desktop applications.
Why is MFA Important?
MFA was introduced when phishing and social engineering became a primary cyber-attack method. Phishing emails with malicious links, keyloggers, and requests for private credentials are a serious problem for companies and individuals. Phishing attacks that result in credential theft cost companies millions in data breaches. They also create a threat for individuals. If no MFA is included in the authentication process, an attacker with stolen credentials can authenticate into the user’s account.
Attackers use social engineering for a variety of reasons, but one of them is to convince users to divulge their account credentials. A simple convincing phone call could give attackers access to high-privilege accounts, which could then lead to a large-scale data breach. In more advanced attacks, an attacker could use a combination of phishing and social engineering to steal credentials.
With MFA integrated into an authentication system, phishing and social engineering is mostly neutralized. An attacker could phish user credentials, but they would not have access to the secondary authentication method. They could social engineer a user into divulging account credentials, but again attackers would not have access to the second authentication information.
Using secondary authentication methods is mostly effective, but attackers occasionally bypass MFA using social engineering. Attackers that target specific individuals will call them after stealing credentials to convince the targeted user into providing the MFA PIN. Social engineering would not work with biometrics, but most organizations use a PIN as the secondary authentication method. Until biometrics are more widely available, social engineering is still an issue with MFA systems that use PINs.
When Should MFA Be Used?
Any website or internal system that stores and works with sensitive data should use MFA. Without MFA added to an authentication workflow, a system accessible to attackers could be vulnerable to brute-force password attacks and credential theft. It’s an added developer expense, so some systems that don’t store sensitive data skip having MFA.
Before a developer determines that MFA is not needed, compliance regulations should first be reviewed to ensure there are no regulation violations. Some regulatory standards require MFA on critical systems that store sensitive data. Any system that stores financial data, personal identifiable information (PII), or healthcare data need MFA to authenticate into the network. MFA might not be needed internally, but administrators that authenticate remotely might need to use MFA to stay compliant.
Third-party integration options make it easier to include MFA into an authentication workflow. If the system is available to the public where an attacker could possibly authenticate with stolen credentials, MFA should be included in the workflow. Other fraud detection systems can also be used to detect brute-force attacks or stolen credentials, but the first step is using MFA to stop attackers.