Despite the usual trope of spy movies and crime dramas showing users effortlessly breaking through complex security systems, like our tag-teaming typists above, multi-factor authentication (MFA) remains an extremely effective tool in the fight against security breaches. But even though many understand the benefits MFA presents, we are still seeing too many organizations still not using it!
What is MFA?
Multi-factor authentication is a method of confirming a user's identity by requiring them to present multiple elements or "factors" to gain access to a system. The most common form of MFA combines something the user knows (like a password) with something the user has (like a smartphone).
What is the Value of MFA?
The value of multi-factor authentication lies in its ability to make it significantly more difficult for attackers to gain access to systems and data. Even when a users credentials are compromised, the attacker will still be missing part of the puzzle - typically an app on the users smartphone - and thus cannot complete the sequence. This greatly reduces the chances of successful attacks.
What Attacks Face MFA?
Despite its effectiveness, multi-factor authentication is not perfect. There are several types of attacks that can be used to bypass it, including:
Weakness of Phone Transports
One of the common options for setting up MFA is to receive codes via text message or robocall, but when voice and SMS systems were originally developed encryption wasn't part of the mix. If the messages are intercepted then attackers have the missing piece they need as soon as the user hits enter. And once they're in, they lock the user out of the account by resetting the password and changing the phone number.
Attackers often trick users by posing as the vendor for the account in question. They reach out right before using stolen credentials, request the user pass along the verification code or hit accept on the MFA app for account confirmation, and they're in. There are a few things users can keep in mind here. If someone reaches out unprompted, don't engage. Many MFA apps will show where the request originated, if it's not even remotely close to the users location, ignore it. And users should never respond to MFA prompts that come in when they're not actively logging in to a system.
If an attacker has physical access to a user's device, obviously they can respond in real-time to any MFA prompts. For this reason, it is especially important to protect devices with a PIN, or even better a method that can't be guessed like fingerprint or face scan, to restrict access to the device.
What Can Your Business Do to Stay More Secure?
By knowing the methods criminals use to bypass MFA, you can more successfully protect against it. There are several steps you can take to make sure your business is as secure as possible:
First off - use MFA - email, social media, financial, and any other accounts that contain sensitive data should be protected
Use biometric (fingerprints, eyes/face) authentication as one of the methods
Avoid phone transports like mentioned above (voice and SMS)