top of page
Francesco Cipollone

MFA 101



As industry leaders and advocates of cybersecurity, we are all responsible for protecting society against threats. One of the more recent issues and the most ongoing is around account compromisation.


With the rise in both frequency and size of data breaches, we face more and more personal information and personal account details being dumped on the dark web.


If you are not yet convinced, then take a look at this article or the infographic below for a reminder of just how big an issue this actually is.



Cybercrime now accounts for more than 50% of all crimes in the UK (National Crime

Agency) with malicious hackers attacking computers and networks at a rate of one attack every 39 seconds. (University of Maryland).


So what more can we do?


With so many people still failing to heed all warnings about using password123 or other equally poor options for every single account across their entire lives, it’s time to get serious and take the choice out of their hands.


That’s where 2-factor authentication and multi-factor authentication have to become the norm.


But what is MFA and 2FA?


2-Factor Authentication adds an additional layer to any log-in process, therefore making it harder for hackers to gain access. The second layer usually takes the form of a security token or a biometric factor like a fingerprint or facial scan.


Multi-factor authentication does exactly what it says on the tin, it requires users to verify their identities by providing multiple pieces of evidence before they can access their device or application.


How does it work?


If you set up two-factor authentication, you'll be asked to enter a special login code or confirm your login attempt each time you or someone tries accessing your account from a computer or mobile device that is not recognised. You can also get alerts when someone tries logging in from a computer that you don't recognise.


The methods to enable 2 Factor authentication are:


SMS Authentication code (good but not very secure)

Google/Microsoft authenticator app

Physical authentication token - e.g. your bank authentication key/card or yubico


Don’t block your access!!


Improving security is vital to stay safe online, the problem arises though if you lose your device and you need to recover the authenticator app.


You usually need to use the seed number, which is the one displaced when you register, so make sure you write it down. There are other ways to recover your account though, such as Github, which has a recovery authentication via a second number.


Once you have the recovery codes, you can print them out or copy and paste them into a password manager so you’ll never get locked out of your account.



Phone authentication


Recently there has been a lot of bad press for SMS catcher and IMSI-catcher (the identifier of your phone’s SIM’s Card) known as Stingrays.


The truth of the matter is that your average hacker will not implement a similar attack unless he really wants to hack your account, and in that case, it is just a matter of when not if.


So in 99.99% of cases, your truly average hacker will divert to another target if you have SMS authentication in place unless as mentioned they are really out to get you.


What can you do to improve?


If your provider doesn’t support MFA then demand it!


How to secure your account


This list is by no means exhaustive but it will be regularly added to so please add any more in the comments below and I’ll also do a poll on my Twitter on the top 3 fails.


GMAIL - Complexity=Medium - https://www.google.com/landing/2step/ Facebook - Complexity=Low - https://m.facebook.com/help/148233965247823


Conclusion


If you do secure your account with physical MFA, soft token or SMS pin does not ultimately matter as long as you add an additional factor to your authentication.

67 views0 comments

Comments


bottom of page