When a tech giant like Microsoft says a simple tool can prevent 99.9% of attacks, that should be enough to grab your attention. Multi-factor authentication (MFA) is not a catchall security tool but it can certainly be your first line of defense against sensitive data breaches. Here’s everything you need to know about making the most of any MFA system.
How MFA works
As the name suggests, a multi-factor authentication mechanism identifies users based on multiple pieces of evidence. Any combination of the following factors constitutes a successful implementation of an MFA system.
- Knowledge—something that the user knows—a PIN or a passphrase
- Possession—something that the user has—a smart key or an OTP (one-time-password)
- Inherence—something that the user is—biometric IDs
If only two factors are utilized, the mechanism is referred to as “2FA”. Not to be confused with 2-step verification, a 2FA system is a simple implementation of an MFA.
Further reading Two-Factor Authentication: Solutions, Methods, Best Practices
An ideal multi-factor authentication must utilize independent factors. For example, a password to access a computer (knowledge) should not be the same as the password to retrieve an OTP from a mobile device (possession). MFA systems can be further strengthened by embedding geolocation and device signatures in the authentication layer.
MFA System Adoption Rate
Recent data breaches have forced many companies to take a more holistic approach to secure their assets. While network and data security continue to be a priority, adoption of MFA system ties up any loose ends left behind.
A LastPass survey concluded that 57% of enterprise clients around the world implement MFA. Last year alone recorded a growth of over 12%. The COVID-19 pandemic has only added to this trend by bringing remote work to the mainstream. These are the key contributors to an increased MFA system adoption rate:
- The popularity of biometrics: With an array of biometric identification technology available today, there’s hardly anyone left out. The dramatic improvement in the imaging capability of consumer electronics and robust blockchain implementation of scanned images has taken biometrics to a whole new level.
- Availability of authentication apps: The better integration and built-in security of authentication apps have improved the adoption of MFA. These apps boost consumer confidence with multi-platform presence and hassle-free recovery options.
How Hackers Get Past MFA System
Like any other security measure, MFA is not foolproof. Since MFA system is nothing but a combination of other single-authentication methods, a hacker can specifically attack individual elements. Other attack vectors could involve behavioral factors or faulty technical implementation. Here are some common scenarios:
- Brute-force attacks: When attackers try out common passwords with random user IDs, they might get lucky a couple of times. This is particularly an issue with MFA system. For instance, some MFA systems only slow down the repeated login attempts, instead of locking them out. A single-authentication system responds better to this threat by limiting failed attempts.
Further reading Password Management Best Practices for MSPs
- Biometrics theft: Being sensitive, biometrics are handled carefully across the board. However, a normal use case may ultimately employ them on multiple machines over the cloud. This exposes vulnerable biometric data to attackers, who might be able to recreate them, even if they can’t get their hands on them. Once they have a copy of the user’s biometrics, an MFA system breach becomes a piece of cake.
- Intercepting cookies: Cookies contain important user data on the browser for streamlined user experience. This includes sensitive data like multi-factor authentication credentials. An attacker can utilize any number of side-channel attacks to obtain this data and gain access to sensitive accounts. Because of many unpatched and even zero-day vulnerabilities out in the wild, an unsuspecting user may not even know about the breach.
- Local access: If local admin access is compromised, all the data in a user’s system is exposed to vulnerabilities. This can include biometrics or other data that may lead to a breach of MFA system. Even if strong encryption prevents data theft, local access can expose other insightful information about the user. This can help attackers to make more-informed guesses on other attack surfaces.
- SIM cloning: Wireless providers are increasingly abandoning physical SIM cards by adopting virtual SIMs. Digital copies open the door to the mass cloning of SIM data, enabling attackers to intercept a victim’s communications. This means they have seamless access to MFA tokens. Being the most popular possession factor in any MFA system, SMS OTPs expose a large number of users to vulnerabilities.
- Recovery attack: While most MFA systems are very secure, they are forgiving when it comes to recovery. This ensures that users have access to the most sensitive data in situations of urgency. Attackers know this full well and prey on vulnerable users. They impersonate a forgetful user and try to gain access to their accounts with wild guesses. MFA systems utilizing security questions for recovery are particularly vulnerable. For example, a determined hacker can easily guess the model of a user’s first car!
- Social engineering: When everything else fails, an attacker can turn to social engineering to exploit innocent users. A social engineering attack can take many forms. It can be as simple as a phishing email or a more elaborate scheme where the users are actively targeted with personalized baits. No MFA vendor can fully address this vulnerability, as this scheme relies heavily on behavioral factors.
MFA System Attacks Prevention
Even with many loose ends, MFA is preferable to any single-authentication system. Below are some actionable steps to prevent MFA system attacks:
Choose the Right MFA Vendor
Choosing the right vendor is as important as implementing MFA system itself. While most vendors tend to prioritize security, some give more weight to user experience and reporting. Attackers are actively looking for any weak points they can find, and vendors are no exception. You must pick your MFA vendor diligently and make sure they:
- Use mutual SSL authentication
- Implement a lockout policy for unauthorized login attempts
- Use development best practices like SDLC
- Address social engineering attacks
- Utilize passive contextual authentication, such as geolocation
Further reading Guide To Vetting Cybersecurity Vendors
Have a Trusted-Link Policy
Regardless of the entry point, a malicious link can challenge any MFA system. Major software and hardware vendors struggle to stop side-channel and RCE attacks initiated by just a simple link. A trusted-link policy alone can eliminate many attack vectors. A trusted-link policy may include:
- Only clicking links from verified senders
- Disabling links from email by default
- Scanning links for security before clicking them
Make Education the Center Stage
To reap all the rewards of MFA, you must stay on top of education, both as an administrator and as an end-user. Adapting to the changing security environment is the only way to stay secure. The inclusion of periodic hacking awareness in all end-user training sessions is a must.
Further reading Guide to End-User Training
Monitor Security Hygiene
No MFA system is secure if any of the involved factors are exposed to vulnerabilities. Users must practice security hygiene at all times. For example, users must:
- Prefer local OTP generation over SMS OTPs
- Use out-of-band authentication whenever possible
- Avoid password sharing, recycling, and replay
- Pick unique password combinations
- Avoid generic answers to recovery questions
- Avoid suspicious sites and recognize spammy behavior
- Avoid public and unsecured network connections whenever possible
While MFA is not unhackable, it continues to provide unmatched protection. MFA attacks are rare and mostly target soft attack surfaces—phishing, social engineering, and the like. These vulnerabilities can easily be addressed through education and general security hygiene. Combined with other measures, the MFA system can prove to be a strong and effective security tool.