2ND OCT 2023
Imagine you have a secret diary. To keep it safe, you use not one but many locks to open it. The use of multiple locks to get access is what cybersecurity specialists call multi-factor authentication.
Because hey, passwords get discovered all the time, with 8.4 billion leaked passwords in September 2023.
Why should this development concern everyone? You see, threat actors can use these leaked passwords to launch password spraying attacks against online accounts, and brute-forcing their way into your digital lifestyle. This is all the more worrying when you consider that:
Let us walk back to the secret diary we mentioned. This treasure trove of secrets requires four locks. And not just any lock but different kinds of locks at that.
The first lock is your regular password (something you know), like a secret word.
The second lock is like a special card (something you have), like a library card.
The third lock is like a picture of your face (something you are), where the diary only opens if it recognizes your face.
The fourth lock only works if you are present at the treehouse where the diary resides (location).
So, multi-factor authentication (MFA) is like using these multiple locks for your online accounts to make sure only you can get in. It's super safe because even if someone knows your password, they still can't get in without your special card and your face.
The best part? MFA has stopped 99.9% of account compromising attempts, proving to be the best defence against credential stuffing, brute-force attacks and password spraying. They are not completely phishing-resistant but can block most intrusion attempts by unauthorized entities.
MFA relies on multiple types of factors to gain access to a system.
For universal security reasons, these factors can be boiled down to four different types:
While MFA methods don’t offer complete security against threat actors, it is important to state that any MFA is better than no MFA. You don’t want to make it easier for people to peek into your secret diary by guessing your password right?
Passwords are the simplest examples of Something You Know.
There’s a good reason why they are the most commonly used authentication method - they don’t rely on special hardware or software to work.
When you type in your password, it's a way to prove that you're the person who should have access to something, like your online account.
This is why most MFA systems use a password and at least one other factor.
Imagine Something You Have as having a special item, like a key to your house. It's like saying, "I have this thing that proves I should be here."
In the digital world, it might be a card or a code sent to your phone that you need to enter. If you don't have that special item, you can't get in.
This MFA method requires you to have a secondary device. It can make it harder for attackers to compromise your system. However, it also comes with huge administrative costs to the user.
What about Something You Are? These are factors that make you unique.
Think of it like a superhero with a special power nobody else has. But since this is the real world we’re talking about, it can be something like your fingerprint or face.
When you show your face to a camera or scan your fingerprint, it proves you're you because there's no one else exactly like you.
If you are part of a business or an organization that deals with sensitive information, this MFA method is commonly used to control access to the premises.
Location is like saying, "I am right here." It's proving where you are at a particular moment. Think of it as GPS for your pizza delivery - only the right location gets the pizza.
However, the location factor is not restricted to geography only. It can also refer to the source’s Internet Protocol (IP) address range. Administrators can rely on an allow-list-based approach to limit access to information.
Some security systems can use your phone's GPS or IP to check if you're in the right place to access something. So, it's like saying, "I can only do this if I'm in the right spot."
The cat-and-mouse game against hackers and new security technologies continues. Even multi-factor authentication techniques are susceptible to certain limitations, depending on the method being used:
MFAs are a multi-layered defense against intrusion attempts but weak account passwords can make it easier for hackers to gain access. Really, people need to create strong passwords.
Getting SMS or voice-based one-time passwords (OTPs) for MFA reasons needs to be phased out. This is because this information can easily fall prey to phishing attacks and be intercepted by an attacker.
Mobile device security is commonly overlooked by security administrators as well as users. Smartphones are commonly used as authentication devices but their ubiquitous nature makes them an easy target for threat actors.
There are many scenarios where MFA codes can be hijacked by cybercriminals:
Lack of latest security patches
Unintentionally downloaded malware payloads
Exploiting vulnerabilities in wireless technology like Bluetooth
Specialized equipment that stores biometric information may be hard to crack, but not impossible. If a hacker were to get access to the unique identifiers stored in those machines, it could render most biometric countermeasures obsolete. The use of deepfakes and other artificial intelligence-based technology in circumventing these restrictions should not be treated as an afterthought.
Multi-factor authentication is a powerful tool to secure yourself and your organization. While it is still vulnerable to phishing attacks and social engineering techniques, using MFA is better than not using it at all. Depending on your security requirements, the more 'factors' you throw at the problem, the safer you'll be.
While you're here, why not take our fun little quiz about multifactor authentication?
Note: This blog is part of Pureversity's Cybersecurity Awareness Month 2023 coverage, aiming to empower you, your home, and your workplace with an improved cybersecurity posture.
