2FA is Not Enough: Why MFA is the Solution to Your Solution
Nearly every personal activity online is gated, requiring a set of login plus password to gain access. The problem is that passwords are not secure: trillions are exposed on the dark web, users create password patterns, the same password is used for multiple services, weak passwords can be guessed by malicious software, among a myriad of other flaws. In fact, a 2017 report found that 81% of hacks occur due to weak or stolen passwords. This is why more and more companies are adopting two-factor authentication (2FA) as their next line of defense in cybersecurity.
The question is, “How secure is 2FA?”
Defining Two-Factor Authentication
2FA adds an extra layer of security to passwords by requiring an additional factor of authentication, such as a six-digit number sent to your phone via SMS. The system combines something you know (i.e. your password) with something you have (i.e. your phone).
The problem is that 2FA, specially SMS-based 2FA, has many flaws, which have been thoroughly exploited by hackers.
Notorious 2FA Hacks
In 2018, a hacker breached Reddit’s 2FA security systems and gained access to valuable data, including internal files, source code, and user emails. Reddit claimed to have robust security measures, as they stood behind SMS-based two-factor authentication. Unfortunately, they were victims of SIM swap, a common and relatively easy method of bypassing 2FA. After this incident, Reddit announced they were moving onto stronger security systems.
Last year Twitter’s CEO Jack Dorsey had his account hacked, and the details of how it happened were made public: by SIM swapping. Hackers impersonated Jack Dorsey and were able to port his phone number into a new SIM card. Even though this specific case does not involve a breach through a 2FA system, it does show how vulnerable these systems are. If SIM swapping was hard to achieve, hackers would not have pursued it only to post offensive tweets through Dorsey’s account.
4 Ways SMS-based 2FA Can Be Compromised
The National Institute of Standards and Technology (NIST) cited a lack of security around SMS-based two-factor authentication and discouraged its use. Here are four ways it can be hacked.
SIM swap & social engineering
SIM swap is by far the easiest form of 2FA hack. The reason is simple - it does not require any technical knowledge. Attackers use social engineering, which leverages simple psychological tactics to gain trust. Using information obtained from data breaches and social media, fraudsters convince carriers’ employees that they are the true owner of that SIM card. After importing the victim’s phone number to a new SIM, the 2FA codes will be sent to the SIM card possessed by the hackers, bypassing the security system.
SMS can be intercepted/redirected
In 2017, security researchers targeted a Coinbase account that was registered to a Gmail account - both were protected by SMS-based 2FA. By exploiting flaws in the cell network, they were able to intercept text messages and reset the Gmail password before gaining access to the Coinbase account. All they needed was a name, phone number, and email address.
The generated codes can be “swiped” if they popup in lock-screen notifications
Unless you choose to have them displayed as private, text messages containing the 2FA codes will be displayed on your lock screen. Although convenient, this also means that they are visible to those who are physically present. Anyone “shoulder-surfing” a victim can see the codes and potentially use them.
The algorithms used to generate the codes can be deciphered
Most 2FA code-generating tokens begin with a shared value, which then acts as a seed value for all subsequent values generated. If a hacker manages to learn the “shared” value and the algorithm, they could duplicate it to create an identical match of the victim’s code generator.
There are other methods hackers use to trick users into handing over their 2FA codes. These tactics include technical support scams, fake websites or popups, scareware, and man-in-the-browser attacks. Despite 2FA adding a layer of security on top of passwords, it has many easily exploitable flaws.
2FA grants access to whoever has a device or a code - MFA guarantees the intended user is the one receiving access.
What is MFA?
If you are looking for ways to protect your network, MFA is the solution. MFA incorporates a third factor to the authentication process - the “who you are” factor.
Multi-factor authentication is usually a combination of knowledge, possession, and inheritance factors. In other words, it is a mix of what you know, what you have, and who you are. The inheritance factor, verified through biometrics, is what sets MFA apart from all other authentication methods. By leveraging state-of-the-art biometric software, any regular smartphone or webcam can capture your biometrics, guaranteeing that the user is who they claim to be.
MFA with biometrics has the best of both worlds: it leverages unmatched security and it is easy to use. Advanced solutions offer multiple options of biometrics such as face, palm, iris, and voice. There is no need to input separate codes, and authentication takes just a few seconds. It is a win-win situation in the form of both security and convenience!
Protect Your Data
Two-factor authentication established an early foundation for cybersecurity that strengthened passwords, but it can only do so much. An improved solution for safeguarding data is to require a third factor to authenticate the user - which is exactly what MFA with biometrics offers.
Surveys show that about 38% of large organizations are using multi-factor authentication. With cybercrime becoming more prevalent, companies that do not protect themselves with this secure form of authentication will beg the question of when they will be breached, not if they will be breached.