MFA or 2FA – How secure is multi-factor authentication?

A recent hack highlights MFA's insecurity – is there a foolproof biometric authentication method?
20 November 2018

Japanese electronics giant Hitachi unveils the new biometric identification and authentification system for financial institutions. Source: AFP

A massive data breach has exposed millions of lines of SMS text messages, which included two-factor authentication messages, password reset links, and other potentially exploitable information.

Sébastien Kaul, a Berlin-based researcher, found the exposed server containing the data around a week ago. It belonged to Voxox, a provider or gateway used by companies to verify users’ phone numbers or send two-factor authentication code – reports TechCrunch.

Standard cybersecurity advice is to always use some form of multifactor or two-factor authentication (MFA, 2FA) to protect online accounts. However, the data leak detailed above shows that not all methods of multifactor authentication are made equal.

So, if account confirmation details or confirmation codes by SMS can be held to the inherently insecure, what are the methods of multifactor authentication which organizations should consider?

Authentication generally consists of one or more of the following categories:

  • Something a user knows (answers to a secret question, password).
  • Something a user possesses (card reader, encrypted USB key, or smartphone).
  • Something a user is (fingerprint, iris scan, voiceprint).

Of course, as always, the devil is in the detail. While answering a secret question may seem a viable method of confirming one’s identity, if the answer to the question is well-known, such as somebody’s nickname, or even a person’s mother’s maiden name (easy to discover), then any advantages are lost immediately.

Authentication software such as Authy, or Google Authenticator, (found by default on most Android phones and running happily on iOS) is used to present tokens which have to be relayed within a set time frame— typically 30 seconds. The advantage of this technology is that it does not require a cell signal, and the cryptographic seed used to create the time-limited code is entirely local to the device.

Physical authentication keys such as USB devices are convenient and straightforward to use. However, the cost to the organization supplying devices to its customers is significant, and users may be reluctant to wait to either obtain or be sent the authentication device through the mail.

One of the most familiar forms of multifactor authentication is the confirmation email. Arguably inherently insecure— anyone with access to your identity may well have access to your email account— some companies such as gaming platform Steam require the entering of a one-time use code sent via email every time a player logs in from an unfamiliar device.

As is usually the case in end-user cybersecurity methods, the balancing act is between ease of customer experience (CX) and the level of protection afforded.

In the consumer market and a long-time darling of science fiction, biometric authentication seems at least to be the absolute ideal. However, even if we take Apple’s marketing message as gospel, and assume its Face ID system is the most sophisticated of the biometric devices on the market at present, its apparent hacking points to the fact that the tech still has a way to go.

Additionally, implementing and deploying biometrics is highly expensive, and although very convenient for users (no need for a physical hardware token, for example) the risk of compromise is still too high for highly-sensitive deployments. Unlocking your phone is one thing, authorizing a five-figure money transfer is quite another.