Is MFA Enough?

Cybersecurity blog - two-factor authentication

What is MFA?

Multi-factor authentication provides an extra layer of security when logging into an asset or service. Logins begin with the username and password and then add an additional form of authentication such as a hardware token, PIN or biometrics. 2-factor authentication is a form of MFA. But MFA can go beyond a 2nd factor and require more than 2 methods to validate. Using MFA can prevent unauthorized users from gaining access if an additional authentication requirement is not met. Stolen credentials or password cracking may be of no use to the cyber criminal if they do not have access to the additional component of verification. This extra step to grant access is critical to the security of your credentials and therefore, sensitive information and assets.

Authentication factors

  • Something you know-Password, security questions
  • Something you have-text based (SMS) or one-time passcode, hardware token
  • Something you are-Fingerprint, facial recognition

Are all forms of MFA equal?

Although using MFA will add a level of assurance to the security of the user’s login, it is not bullet-proof. In particular, in defenses against phishing attacks. Some causes of MFA failures can be:

  • MFA fatigue (bombing)-A hacker has obtained the target’s user name and password and then sends continuous MFA notifications until the user just clicks on ‘accept’. This gives the criminal access to the account.
  • Fake push notifications-Crooks use the stolen credentials to send a fake notification.
  • Man-in-the-Middle attacks. Use of insecure networks can lead to interceptions of communications.
  • Social Engineering-Email based One-time passcode or SIM card hijacking

Phishing resistant authentication methods include the use of a ‘hidden’ form of validation. Instead of typing in a PIN or passcode the user would use a hardware token or biometric factor. A bad actor would have to have physical access to this form of verification in order to complete the login process.

Utilizing MFA will definitely allow for additional security measures to protect users and assets. But it is important to consider the various levels of protection MFA provides when assigning to end users. What is being accessed and how sensitive is the data? Development of strong MFA practices will provide benefits of protection for your critical assets.

Resources:
Implementing Phishing-Resistant MFA
Not All MFA is Equal, and the Differences Matter a Lot