Turn On Your Multi-factor Authentication
[10/16/2023]This week for Cybersecurity awareness month the focus is MFA and turning it on.
While this is somewhat the beating of a dead horse, MFA, or Multi factor Authentication, should be enforced and turned on wherever possible to layer security on top of our authentication processes. MFA is said to stop 80-90% of identity-based attacks, a number that has declined over the past few years. It was once thought to block 99% of identity-based attacks involving the use of a compromised password. The reason for the change is that not all MFA is completely secure, and some forms are stronger than others. Below are some tips to help you select the right options for your organization.
Know the Weaknesses
During the MFA setup phase, when we’re given an option like email to setup MFA for an account, many of us may not choose the strongest method available. We may be naïve in thinking each option has the same level of security. Options like an Email or SMS make it easier for users to gain access to a code and to copy and paste it in, but we may not realize that these methods can be phished simply by gaining access to a phone’s SMS messages, the phone’s lock screen, or having access to the very same email account that is already compromised.
A few attack types based on weaknesses:
- Sim-swapping – Attacks like sim-swapping give an attacker direct access to a phones SMS message by cloning the devices sim card through 3rd party compromise attacks like social engineering the phone carrier.
- Push fatigue – MFA Bombing or Push fatigue where an attacker will spam MFA push notifications to the phone in hopes of the victim getting irritated and accepting or allowing access to get the notifications to stop clearing.
- Business Email compromise – This is an area of concern since email attacks can be damaging for the account owner and all their contacts and other services with identity dependencies. If an attacker has access to an email address, any service that has been setup with that email address can be reset, also giving attackers access to any MFA codes that are generated for email-based MFA.
Pick a Secure Option
As SMS and Email are most common methods for MFA setup, a more secure option, like an authenticator app, will use the device’s current date/time and unique seed to generate a 30-60 second cycled MFA code that does not require internet access. Other options like FIDO or FIDO2- compliant MFA and hardware-based tokens take away the convenience of being able to simply copy and paste tokens, but they become phishing-resistant in a way that would require an attacker to have the device the code is generated from or get the original seed code during setup. As most attacks are remotely administered, the hardware dependent aspect makes it extremely challenging for an attacker to gain access to the codes without being in the physical location or retrieving the seed.
More Secure options:
- Authenticator App – Google, Microsoft and many more make authenticator apps. Choose a well-known one and don’t fall for fake ones in the app stores. They are out there!
- Hardware Appliance/Dongle – This will be based on the MFA software and will vary.
- Biometrics with FIDO compliance – This is an area where passwordless authentication is growing. Using a biometric token like a fingerprint or facial recognition offer a uniquely generated token which can be nearly impossible to phish or replicate.
The Lesser of Evils
Sometimes we don’t have a choice for a more secure option and are at the mercy of whatever we do have access to due to vendor/manufacturer restrictions. In this case, picking the lesser of evils must happen, as having any MFA is still better than having no MFA at all. In this case, SMS or push notifications can be the best options as they are tied to a mobile device that is harder to replicate or gain access to.
Even though SMS is a weaker option there are some protections that can be done to help make your MFA strong.
- Keep your software updated! – This is a critical step that can apply in all situations but it’s even more important to protect the device.
- Use a passcode/passphrase – Protect your phone data and access to it by having a passcode.
- Be Mindful of notification/banners – Some data can be given away on the lock screen or actions can be taken from the lock screen. Keep your banners/notifications away from prying eyes or shoulder surfers.
Request a Consult
Know when something is wrong – Mobile devices get slow, and batteries weaken, but excessive battery drain, and slowness are also signs of malware. Get in the habit of rebooting your devices and removing unnecessary software to help keep them clean. Additionally, if your phone service stops working, this can be a sign of a sim-swapping attack where your SIM card has been deactivated and the attacker has taken over your cell phone number.