The trouble with passwords, and how to correct it
While passwords have been an invaluable tool for over half a century, they are not without their drawbacks: if a password is discovered by a third party, there is nothing to stop them from authenticating as that user. Just like if someone steals/copies your car key, there is nothing to prevent them from unlocking and driving off with your car. However, unlike your car, attackers stealing and using your credentials can be halfway around the world. To prevent security breaches in our hyperconnected age, we need more than just a username and password.
Multi-Factor Authentication (MFA) requires a user to provide means of authentication from two or more of the following areas:
- Something You Know (knowledge)
- Something You Have (asset)
- Something You Are (biometrics)
- Somewhere You Are (location).
Two Factor Authentication (2FA) means the same thing as MFA – just specifically using two of the Factors above. An everyday example of 2FA in action is entering a PIN (Something You Know) with a debit card (Something You Have) to complete a transaction. An example of something that is not 2FA is requiring a password (Something You Know) and a knowledge-based question like “name of first pet” (Something You Know) because the same type of Factor is used in both instances.
A few common examples of second Factors to go along with passwords are: text (SMS)/email message codes, one-time codes (OTC) – generated by a physical token or a smartphone app, and a smartphone app that asks the user to select “approve” or “deny” for an active login attempt (all require: Something You Have).
While it seems like an extra hassle to set up and use 2FA with a password, its immense value has been observed. Both Microsoft and Google have seen the use of passwords with app/physical token-based 2FA block 90+% of even expertly targeted attacks.
How hackers are shifting to try to beat MFA
It has taken time for institutions to update their online systems to take advantage of the more secure 2FA methods (apps, hardware tokens, etc.), but most will at least offer far less secure (albeit better than no 2FA) SMS/email messages. This shift in security means that attackers have had to shift their tactics as well.
An increasing number of tools and phishing schemes have been developed by attackers to target not just passwords but also 2FA one-time codes and on-device prompts. A user may be phished for their 2FA in a variety of ways: a fake login webpage, SMS message requesting a reply, a call claiming to be from a legitimate company, etc. The attacker asks the user to provide/confirm information such as the user’s one-time 2FA code or to click “approve” on a device when prompted. In the case of device prompts, attackers may repeatedly attempt to log into a site using stolen credentials, and a user – not knowing the messages are generated by attackers trying to break into their account – may click “Accept” to get their device just to stop prompting them. Once the attacker has both the password and 2FA passed through, they proceed to quickly log into the service – giving them full access to the account or system. These “man-in-the-middle” (MITM) 2FA attacks are mostly thwarted by even more sophisticated 2FA protocols like Universal 2 Factor (U2F), but only a few services support its implementation as of today.
Staying updated is key to staying a step ahead of hackers
The requirements for users to stay secure from social engineering are constantly shifting. It’s our responsibility to understand the tactics and tools used by attackers if we are to protect our personal and business lives from them. Find out what MFA/2FA options are available for the services you use but be aware that 2FA is only secure if we keep those Factors away from the attackers.