Multi-Factor Authentication (MFA for short) is simply the use of two of more methods of authentication to validate your identity, that is you are who you present yourself as. These methods could include two or more of:
- Password
- Typing in a confirmation number sent to your phone via SMS (short message service)
- Typing in a confirmation number sent to an application installed on your smart phone
- Confirming via an action in an application installed on your smart phone
- Facial recognition
- Finger print recognition
The three main types of authentication are:
- something you “know”
- something you “have”
- something you “are”
Authentication forms a key part of “Identity Management” which is typically classified into the following components:
- Identity – Who you are, often signified by a username or email address
- Authentication – confirms your identity via one of the above methods, but most often a secret or something physical that only you have access too.
- Access Control – what you can access
- Accounting – a record of what you do with your access rights
These are commonly referred to as “IAAA”.
Why should you use Multi Factor Authentication?
The default mechanism for authentication for many purposes, particularly online systems is passwords.
An excellent post on the Microsoft Tech Community gives a great explanation of the various attacks against passwords, and that the time for its use as a single factor of authentication is past. It also challenges the notion that using long passwords, pass phrases, or avoiding passwords used in a breach are effective ways to strengthen password practice.
It highlights the multitude of potential attacks against passwords;
- credential stuffing,
- phishing,
- keystroke logging,
- local discovery,
- extortion,
- password spray, and
- brute force.
So the argument put forward there is that passwords “don’t matter”. They may be subject to many weaknesses, but they do matter primarily because as an authentication method they aren’t going away. So controls need to be specified and implemented subject to your risk appetite, your individual/organisational environment and your overall security posture goals.
The post makes the strong claim that “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
All authentication types have weaknesses. By combining authentication methods this reduces the risk that a weakness of one particular authentication method allows you to be impersonated. So someone who is not you can use your account by just either stealing something you have, or compromising something you know through social engineering or theft.
When planning a MFA strategy, you should use choose two methods that have compensating strengths for other methods weakness.
Considerations for MFA implementation
When implementing the user experience impact is important. The value of a control must be greater than the business impact of its use. As users get used to MFA it reduces in overhead but there are multiple simple things to consider.
Do you need to use all factors at all times? You may consider accepting a single factor, and then only requiring the other factors under certain conditions. For example requiring MFA:
- weekly
- after a fix number of single factor logins
- upon password reset
- upon device reset
- when a new device/browser/session is established
This can ease the burden on users, but needs to be carefully considered in relation to your control objectives and your risk appetite for account compromise.
Another positive element for varying the pattern of MFA is reducing predictability. A consistent predictable approach is potentially useful for users, however signalling the control environment to attackers gives them information about your environment.
For example if it isn’t evident publicly that you are using MFA, when an attacker attempts to exploit a password for example, and then is unexpectedly presented with an MFA challenge and fails to complete it, this is a potential indicator of attack. This might then cause an incident to be raised investigating whether there are other circumstances which might indicate and account compromise (this investigation and correlation of event factors could be automated).
Attacks against MFA
All authentication methods have weaknesses and risks.
To successfully compromise an account protected by MFA, you essentially need to compromise all the authentication methods in a time frame where they are all vulnerable. This is complicated by the fact that compromise of a single factor can trigger detection mechanisms. For example failed password logins might trigger alerts to reset passwords, and this could be done before the other factors are successfully compromised.
A follow up Microsoft Tech community post highlights two classifications of attacks against MFA:
- Real time phishing – this is typically a “Man in the middle” style attack where authentication requests are being intercepted in real time allowing replay by the malicious actors
- Channel Jacking – this is simply tacking over the channel by which MFA is undertaken (email, SMS, push or voice) thus have more than one method compromised.
The level of sophistication and ability to comprise MFA increases the complexity and cost of an attack, and reduces the likelihood of a successful undetected compromise.
This also moves attacks against MFA from things that can be automated and applied on a broad scale to more specific targeted attacks. Unless an a attacker is highly motivated to compromise a particular account is it expensive to break.
This potentially moves an attackers behaviour to consider alternative attack vectors.
One particular attack to be aware of is when multiple authentication sources have a shared component. An example of this has come up in the banking industry. Customers use an app on their phone to do banking, and SMS to that phone is a second factor of authentication. If a malicious actor can compromise the phone, either via its operating system or a fake banking app (likely from a fake app marketplace), then the device becomes the weak point for MFA.
This style of attack, along with the relative ease of SIM-jacking has led many organisations to move away from SMS as a second factor of authentication.
In September 2019 the FBI issued a private industry notification regarding “Cyber criminals using Social Engineering and Technical attacks to circumvent Multi-Factor Authentication”.
One of its closing points is “Defending against multi-factor authentication attacks requires awareness of the attacks which circumvent the security and constant vigilance for social engineering attacks.”
This highlights the ongoing importance of a human centric approach.