How cybersecurity is strengthened with MFA

Many security experts in the field of technology have made a good case for multi-factor authentication (MFA) as a way that cybersecurity can be improved in the workplace. Troy Hunt, the brain behind HaveIBeenPwned on these pages recently stated that U2F (a generic term for MFA) could end the threat from phishing overnight, was it universally adopted.

What is Multi-Factor Authentication / 2FA / U2F?

In many instances, when we identify ourselves to an application or service, we enter two pieces of information: a username, and a password. But because passwords are easily compromised, or guessed, or shared among colleagues, the effectiveness of the security check is significantly lessened.

MFA (and its variants) adds another layer of identification that further proves that the user is genuine. The additional factor might be, in rough order of security:

• an additional, yet easily remembered piece of information, like email address, city of birth, mother’s maiden name, and so on.
• the need to respond to a request sent via a different channel, like click on a link in an email.
• retrieve a code from another channel (like an SMS or message) and enter it into the original interface, like a web form.
• use a trusted second form of identity verification, like a fingerprint reader or facial recognition system on a cellphone.
• use a dedicated form of biometric identity verification, like a hardware ‘key’, of the type made, for instance, by Yubico, and Thetis.
• use an advanced form of biometric recognition unique to the individual, like a retinal scan, or dedicated fingerprint reader in monitored hardware, like a fingerprint or voiceprint system.

What’s wrong with passwords?

The unfortunate truth of cybersecurity is that as each new method of authentication comes on stream, it becomes the target for attack (it might be surmised that each new method is seen as a challenge!). Password authentication is seen as massively deprecated, as although seemingly random strings of letters and characters should be used, a unique string in every instance, that’s rarely the case.

Common passwords are available to download by the billion quite openly on the internet, and so-called “brute force” attacks are simple ways that password combinations can be tried, one by one, by automated systems until an entry is achieved.

Additionally, once one system or service is “broken open,” the astute hacker knows that those credentials are often used in multiple instances. Employees’ online gym membership account password may well be the same one used to get access to sensitive financial information at work. Hack the personal, badly protected service, and get access to better targets…

Is the smartphone the best 2FA method?

Perhaps the easiest second-factor authentication method is to use the device that just about everyone today carries with them at all time: the mobile phone. The technology of fingerprint recognition (or face recognition) is often built-in, so users can now type in username & password as normal to begin the login process, then confirm a fingerprint on the phone to prove their identity.

Even for those without smartphones, use of a text message code, sent to the user’s phone and then typed into the interface is also an option – although it’s worth noting that SMS is not entirely secure these days.

What is a hardware key?

There are an increasing number of devices on the market that help individuals and companies better protect their data by identifying individuals attempting to access information using dedicated hardware keys.

Common makes are Yubico, and Google and Thetis (see also the new, open source SoloKeys project). The individual triggers these devices on cue, and the tool generates a unique, one-time use code that is associated with the user. While this type of authentication is perhaps the most secure available today (short of mass production of cheap retina-scanning hardware, for example), the technology has several downsides.

• the appliance does have a cost (albeit not a high one – between $30 and $100 is typical).
• devices can be lost, thus effectively locking out the user until a replacement arrives.
• not all services and platforms accept hardware authentication methods as standard, so a key might not grant access everywhere.