Multifactor Authentication - The Good, The Bad, & The Vulnerabilities
The good news is—if you require multifactor authentication (MFA) for access to your systems, you’re doing the right thing. The bad news is—what you’re doing might not be enough.
Most of us by now are familiar with MFA and have been required to use it in order to access one or more of our online accounts. If, after entering your user ID and password, you are prompted to enter a code received via email or text message, that’s a type of MFA.
However, MFA is not invulnerable, as pointed out in a recent post from Cybersecurity Dive. Although MFA is far more effective than single-factor authentication (user ID and password only), it is still subject to human error. For example, if a phone or other device is stolen or compromised, an attacker can transfer the number to themselves so that they receive the authentication requests. Another common tactic is “prompt bombing,” in which an attacker sends multiple prompts to a user, hoping the user will finally click the attacker’s false button or link in order to stop the prompts from coming, thus giving the attacker a way in.
Nevertheless, MFA still drastically reduces the number of successful cyberattacks, and you should be using some form of it.
Types of MFA–Pros and Cons
MFA comes in four broad categories, each with its own variants, advantages, and disadvantages.
- Something you know. Examples: passcode, answer to security question. Pros: easy to implement. Cons: users forget them, write them down, share them, or make them too simple.
- Something you have. Examples: mobile device for SMS, hardware token. Pros: difficult to steal virtually. Cons: can be forgotten, lost, or stolen physically.
- Something you are. Examples: fingerprint, facial recognition. Pros: very difficult to steal. Cons: vulnerable to involuntary authorization.
- Somewhere you are. Examples: IP address, geographic region. Pros: can’t be stolen. Cons: can be spoofed.
Watch for the Weaknesses—Key Vulnerabilities
Cybercriminals find ways to get around MFA, as they do with any type of defense. Staying on top cyberattacks is a never-ending struggle, and it’s vital to be aware of MFA’s main weaknesses.
- Lack of user education. Users may not realize they should not use the same password for their email and the application they are accessing, especially if the MFA involves sending a code to their email address.
- Social engineering attacks. Attacker tricks user into revealing passwords and/or answers to security questions.
- Phishing attacks. Attacker tricks users into entering login credentials into a false online form.
- Man-in-the-middle attacks. Attacker intercepts user credentials as they're entered into a false network.
- Malware and keyloggers. Malware records users’ keystrokes and sends them to a hacker.
- Single point of failure. If user forgets info, loses device, or device fails, user is locked out..
- Complexity and usability. Users may be tempted to use overly simple passwords.
- Lack of updates. Companies fail to keep up to date with improvements and updates from their MFA providers.
Never Give Up—Best Practices for Building Your Defenses
Despite MFA’s weaknesses and vulnerabilities, you can optimize its effectiveness by implementing the following best practices.
- Require MFA for ALL users. Unprotected user accounts give hackers an in.
- Use an authenticator app. They are convenient, easy to use, and provide another layer of security.
- Use contextual and adaptive MFA controls. The level of authentication required is based on user’s location, device, behavior pattern, etc.
- Consider using passwordless authentication. Hardware tokens or biometrics such as fingerprints reduce risk but require careful research and testing.
- Take a zero-trust approach. Never trust, always verify—continuously.
- Combine MFA and single sign-on. Number of logins is reduced while maintaining security.
- Enable multiple MFA options. Users have flexibility based on their own needs and preferences.
- Send a one-time password. Make sure it is correctly formatted and can be accurately copied and pasted.
- Provide a fallback authentication method. Make sure users are trained on how to use the fallback in case the primary method fails.
- Promote security awareness. Train employees and users on MFA importance and recognizing phishing and social engineering attacks.
The bottom line is that MFA is still an important tool in your arsenal. Although it might not be perfect, the answer is not to scrap it but to strengthen it.
Sources/Additional Reading:
Cybersecurity Dive: Multifactor Authentication Is Not All It's Cracked Up to Be
eSecurity Planet: MFA Advantages and Weaknesses
Sectigo: Top 8 Weaknesses in MFA