In our latest Cyber Tip of the Month, PROTECT+ Security Consultant Russell Bull talks all things Multi-Factor Authentication, including what it is, common methods – and the most secure forms of MFA you should be using to protect your accounts. This special edition of Cyber Tip of the Month is part of our Cyber Security Awareness Month campaign – visit our insights page for more ways to protect yourself and your organisation.
Credential theft is one of the most significant cyber security threats, with more attackers finding ways to hack into systems and steal user account login credentials. Passwords are simply not strong enough to protect our accounts anymore, with 77% of all cloud account breaches caused by password breaches. So, what’s the best way to secure your accounts and block attacks and unauthorized access? The answer is Multi-Factor Authentication, also known as MFA.
If you want to build a powerful wall of defence for your accounts, Multi-Factor Authentication is essential. It’s shown to block up to 100% of attacks and fraudulent login attempts – but it all depends on your chosen MFA method.
What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) is an additional form of verification to ensure that only you can log in to your accounts. With MFA, you can use two or more authentication methods, often in conjunction with your existing password, to prove your identity and safely access your accounts.
How does Multi-Factor Authentication work?
When we secure our information, we consider the three factors of authentication: something you know, something you have, and something you are. Passwords, pin codes, and secret questions fall into the ‘something you know’ category. Different MFA methods fall into the other categories – biometrics and fingerprints are ‘something you are’, and security keys and physical tokens are ‘something you have’. Combining these MFA methods adds strong layers of protection to your accounts.
In the real world, this means that even if an attacker has your password, they still cannot log into your account without your MFA device – whether it’s a security key, fingerprint, or authenticator app. Bypassing your MFA method is difficult – but not infallible – with some stronger than others.
RELATED CONTENT: Near field communication: What is it and how can I stay vigilant?
The most common Multi-Factor Authentication methods
There are a few different types of MFA methods, but not all are created equal. While some are more convenient, others are more secure – and it’s important to compare methods to choose the right one for you.
The most common MFA methods are:
- Random pin
- Authenticator app
- Security key
We know we need to use at least two of these options for strong security on our devices – but where do you start? Let’s dive into the pros and cons of these six forms of MFA and find out which is the most secure method.
An email link is one of the easiest and most convenient Multi-Factor Authentication methods because it does not require additional hardware or software – but it’s also one of the least secure. This is because it’s easy to compromise and is highly vulnerable to attacks. While using an email-based MFA is better than just using a password, it’s certainly not the strongest option.
RELATED CONTENT: Cyber hygiene: 4 easy tips to keep your data safe
Like email links, SMS is one of the most used forms of Multi-Factor Authentication. It’s also one of the most convenient since it also does not require additional hardware or software – you just need a phone that can receive text messages. How it works is whenever you log into your account, you receive a text message with a time-sensitive code to enter. You’ve probably used this form of MFA a few times, as lots of banks and other platforms use this form of authentication.
SMS MFA is easy and widely used – so what’s the problem with it? Well, it will only provide a medium level of security, to start. SIM cards can be cloned or hijacked, which is when a hacker changes your phone number from your SIM card to another SIM card they can control. They can then access your phone number’s text messages – including your MFA codes. Mobile numbers can also be paired to computers, so if your computer contains spyware, attackers can and will access your text messages.
While random PINs do add security to your accounts, they also have their flaws. A random PIN, even long ones, are similar to passwords in that they are easy to guess and are vulnerable to phishing and brute-force attacks. You should never use pins or passwords on their own and always pair them with at least one other form of Multi-Factor Authentication, such as the methods I’ve shared below.
Biometrics requires your unique fingerprint or face to authenticate your login. These are a great way to secure your accounts since you can’t misplace them and you, quite literally, always have them on hand. However, fingerprints and faces can still be compromised or copied using high-definition images or latent fingerprints. Furthermore, if they become compromised, they are compromised forever, as you cannot change your fingerprints. This also raises concerns about the privacy impacts of sharing your biometric data with someone else.
Authenticator apps, such as Google Authenticator or Microsoft Authenticator, are an easy and convenient MFA method. They provide you with a random rolling token code that is used as your second authentication. As with every other option, there are downsides to authenticator apps and push notifications. The user must have a smartphone to access the app, so if your phone is lost or stolen, your authentication is compromised. One way to get around this is to ensure that your chosen authenticator app has a way to deactivate the app on a phone that is reported as lost or stolen.
Since you need to install an app to use this form of MFA, it makes it vulnerable to attacks and malware. Users may accept an illegitimate login attempt by mistake, due to habit, inattention, or accidentally tapping approve. Users are also susceptible to MFA fatigue, as seen in the recent Uber hack. This is when an attacker bombards a user’s authentication app with push notifications, hoping the user will eventually tire of it and approve access. For more details, you can check out PROTECT+ Senior Security Consultant and Penetration Tester Anthony Jones’ insight about MFA fatigue and how to reduce the likelihood of an attacker getting past your MFA.
RELATED CONTENT: Common cyber security mistakes and 3 simple ways to fix them
Experts say that security keys are the most secure form of Multi-Factor Authentication. A Google study found that security keys blocked 100% of attacks, compared to SMS-based MFA which blocked 76-100% of attacks and on-device app prompts which blocked 90-100% of attacks.
A security key is a physical token you can insert into a PC or device to authenticate the login. It’s usually smaller than the size of a thumb drive and must be carried by the user when they want to log into the account. It provides the best assurance for account security since a physical token cannot be copied and it works offline.
While that all sounds great, users must be aware that a security key still has its weaknesses since the physical token can be lost or stolen.
What is the most secure Multi-Factor Authentication method?
The most secure Multi-Factor Authentication method is a phishing-resistant type of MFA, which means that attackers cannot intercept or dupe users into providing account access. Phishing-resistant types of MFA include FIDO2 and WebAuthn standard, hardware-based security keys. This combines the security of physical tokens and biometrics to create a highly secure method of authenticating user access.
You can also create a powerful authentication method by combining multiple forms of MFA, such as non-reused passwords and biometrics alongside authenticator apps and push notifications.
Which Multi-Factor Authentication method should I use?
Picking an MFA method doesn’t need to be complicated. When choosing an MFA method, we need to consider three key things including cost, ease of use, and the importance of the information we are protecting.
Authenticator apps are one of the cheapest and easiest forms of MFA, as they are free and provide great security assurance for accounts like email, social media, and banking. If you want to avoid issues such as MFA fatigue, go for Authenticator apps that use rolling codes, rather than push notifications. That way, users cannot be bombarded with prompts, but instead, need to retrieve a unique code.
If you want the ultimate security assurance, security keys are the best protection you can get. They’re also the most expensive form of MFA with prices ranging from $20 to $100 dollars per security key. However, security keys are best for securing the most important accounts and information like banking, crypto, password managers, government, and identity services.
While all forms of MFA have their strengths and weaknesses, MFA remains the best way to add security to your accounts and will go a long way in keeping your identity, data, money, and accounts safe.
Need help choosing the right MFA and other cyber security measures for your business? Get in touch with us and find out more about how Kinetic IT’s PROTECT+ cyber security solution can work for you.