Multi-Factor Authentication: Everything You Need to Know
It is no secret that login credentials are among the most frequently targeted pieces of user data by malicious entities. This past summer, one of the largest spambot dumps—including over 711 million records, including nearly 50 million passwords, was reported by Troy Hunt.
Having your password stolen opens the door for a long list of bad things to happen. Hackers can transfer money out of your bank accounts, distribute malicious software from your email or website, or steal sensitive corporate information. We have previously discussed the importance of password management. Two-factor authentication (also known as multi-factor authentication) is a powerful (perhaps the most powerful) defense against credential theft.
Below, we’ll explain what it is and how to implement it successfully at your organization.
What is Multi-Factor Authentication?
Multi-factor authentication, or MFA, is based on the concept of requiring multiple forms of identification to ensure that an attempted log-in is being performed by the actual user, and not someone else. To balance security and convenience, websites that utilize MFA generally rely upon two factors of authentication (2FA). By forcing a user to provide two distinct types of evidence, 2FA makes credential theft and forgery, much more difficult.
So, now that we have a high-level conceptual understanding, let’s take a deeper look at each type of evidence (each “factor”) and how different 2FA credential service providers, or CSPs, implement them. While these “factors” can take many forms, there are three general types of evidence: knowledge, possession, and inherence.
Knowledge-based evidence would be something that you, and only you, know. A great example of this is your passwords. If you have chosen a distinct and properly secure password, it can be assumed that only you would know it. Think of this as knowing the combination to a safe. Historically speaking, knowledge has been the primary type of evidence used by web applications to secure your data.
The idea of possession centers on you being the only actor who “has” something. A great example of possession evidence is a key. If you are the only one who has a key to your car, it is much more difficult for someone to steal it. A more relevant example in the world of multi-factor authentication would be your cellphone. Many professional 2FA CSPs will use constantly changing, time-sensitive numeric passwords sent to your cellphone (presumably in your possession and locked with a password only you know.) These are also known as time-based one-time passwords (TOTP), and they represent a user-specific method of authentication via possession.
While once considered a distant sci-fi fantasy, inherence is quickly becoming a popular evidence factor (thanks Apple!) Inherence centers on user-specific factors such as retina, thumbprints, or a variety of other biometric security measures, which can be used to verify that users are who they say they are.
How Multi-Factor Authentication is Used
While credential theft is a serious concern, more and more reputable websites are combating this threat by allowing users to enable multi-factor authentication, usually 2FA. These websites commonly use “knowledge” and “possession” evidence, or “something you know and something you have.” If available, it is always a good idea use this additional security layer, but it is also wise to do a little research into the exact mechanisms used.
Why? Well, not all 2FA mechanisms are created equal. For example, some sites still rely on SMS to relay a verification code as a text message. These SMS 2FA prompts can be compromised by a variety of different attacks including SIM swapping and Phone Account Hijacking. This is because SMS is an older protocol with several potential security vulnerabilities. However, this type of 2FA is definitely still better than nothing.
A more secure 2FA method, which is used by a variety of reputable MFA applications (Authy, Duo, Google Authenticator), is to create a “seed” key on your mobile phone. This seed key is frequently created by scanning a QR code, which is then encrypted with a time-stamp that allows the provider and your device to rotate keys at a given interval without sharing them over insecure networks. These are known as time-based one-time passwords (TOTP) and provide protection against a variety of different attack vectors, as they rely on your phone’s hardware, instead of its ability to receive SMS messages.
Tips for MFA Deployment and Management
Here at Strongarm, we take password management very seriously. We use 2FA for all services we consume. Some services, such as Google’s G Suite allow administrators to require 2FA for all accounts. This is a great feature that allows IT managers and admins to enforce at least one layer of password management best practices.
Other services, such as Amazon’s AWS, do not share this overarching configuration. In these cases, we explicitly require it whenever a new user is registered. Some password management solutions, like LastPass’ Business offering, allow organizations to require all users to use 2FA to access their stored credentials. While there are a variety of different strategies and techniques for deployment, the basic concept remains the same: any services your users consume should have 2FA enabled.
Using 2FA is an easy and effective step to protect valuable data, but it is not the last step. Unfortunately, credential theft is not the only way for bad guys to compromise your data. Luckily, Strongarm’s DNS protection is here to rapidly boost your defense arsenal. With robust DNS protection, content filtering, and an ever-increasing array of reporting metrics, we can help you protect, control, and analyze your network traffic. All this without any on-site hardware or difficult to configure agents. Simply register for a free 30-day trial and Strongarm will help you protect your network within 10 minutes.