Multi-factor authentication is becoming more ubiquitous, but some methods are more secure than others.
By now many of us already understand the dangers of poor-quality passwords, yet just in March, there was a $15 million ransom demand issued due to “password” being used as a password. In order to provide an additional layer of security, multi-factor authentication (MFA) has been brought in to mediate the risks of static stored passwords.
SMS as authentication, Security Questions, and a Mobile App Authenticator are some types of MFA. However, even with these added layers, users can still be lulled into a false sense of security as some types of MFAs are not as safe as we thought.
Most of us are well aware of SMS authentication. Nearly every online or cloud-based solution offers this as secondary protection from Gmail to LinkedIn to banks, whereby an SMS with a code is sent to the user’s phone, requiring them to input the code before they can proceed and access their information, etc.
There are numerous obvious benefits to this layer of protection. It is inexpensive, with all employees typically possessing a phone and so there is no need for any extra hardware for the company to provide. Additionally, it is easy to implement and usually very user-friendly and intuitive, and it can be used regardless of whether the user has data, making it easily accessible to almost all users.
However, there are a number of downsides that users should be aware of. SMS 2FA can be vulnerable to SIM Swapping/SIM Hacking, whereby the SIM card in your phone essentially tells your phone which wireless carrier to connect to, and what phone number to connect with. In a SIM swap/SIM hack attack, a threat actor impersonates you and convinces the carrier that they are, in fact, you.
Furthermore, keep in mind that most of the common wireless providers allow you to view text messages via your online account, within their web portal. If your account for the web portal itself isn’t protected with a second factor, and if you are using an easily guessed password which you use with many online accounts, a threat actor could monitor your account for an SMS OTP message that you initiated for a banking app, Facebook, etc, giving them access to those accounts.
Lastly, endpoint attacks use trojans; malware designed to intercept incoming SMS messages right on your phone and silently redirect them to attackers. SMS intercepting trojans first appeared on Symbian and, today, these trojans are most common on Android devices, prompting Google to create a whole new way of managing access to the SMS inbox.
Your mother’s maiden name …
Another popular and low-cost security feature is the security question. By providing answers to personal questions, such as what your mother’s maiden name is, the name of your first pet or your favourite teacher, you provide a unique reference that only you know. This security solution is easy to set up and does not require any devices or smartphones.
However, many security question answers are easy to dig up. People can find information like your father’s middle name or the street you grew up on relatively easily online, especially with the ubiquitous use of social media.
It is also easy to accidentally divulge this sensitive information through social engineering, such as phishing emails or phone calls. It is also likely that the user has the same question and answer for multiple accounts as it is hard to remember multiple answers to multiple questions. This increases the vulnerability of such an approach.
Mobile app authenticator
Another means to secure online accounts is through the use of a separate mobile app authenticator. This does provide an additional layer of security, especially if biometrics are enabled as even if your phone is stolen, the push notification cannot be accepted by anyone else.
These OTPs are also not tied to your phone number – rather they are tied to your phone – and so it does not relay on your wireless carrier’s reliability or security. Lastly, they are low-cost – often free – and so easily accessible for most people and smaller companies.
However, an internet connection will still be required which may limit its accessibility. Furthermore, the time-based login requirement can be hard for some people to use and for others, push notifications are disabled which can make using the app harder.
Lastly, there have been instances of hackers triggering multiple notifications, potentially causing the user to tap on the wrong one if he/she did not read the notification properly.
Ultimately, there are pros and cons to every security measure, and we are in a constant trade-off between good cybersecurity and ease of use. For busy employees and entrepreneurs, the thought of having to input codes, personal answers, etc., every time they log into their e-mail account is a non-starter.
Basic cyber hygiene is possible, though, and this means good quality passwords that are changed on a regular basis. It also means that employees should be kept up to date on the latest tricks and tools hackers employ, from phishing to SIM Swapping. Which more knowledge comes a better ability to avoid cyberattacks.
Joey joined Exclusive Networks in 2020 as the Country Manager for Singapore. Prior to joining Exclusive Networks, she worked in Reseller, Vendor & Distribution organisations.
TechNode Global INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Keyword: Understanding how MFA works for you, and how it doesn’t>