Not Just a Nice Option: a Necessity
About a month ago, I attended an online webinar hosted by Women in Cybersecurity all about Multifactor Authentication. Multifactor Authentication (or MFA), for those who may need a refresher, is an extra layer of security when signing in to services or applications. Essentially, you must authenticate yourself through multiple fields (or, Factors) in order to prove you are who you say you are. The earliest and most common form of MFA was Two-Factor Authentication (itself a subset of MFA) that would verify authenticity through two fields — most commonly by signing in with a password and then entering a security code that is texted to a phone number over SMS. Until recently, many people considered MFA an optional but beneficial layer of security. In fact, most online services still make MFA entirely optional, but, as discussed in the webinar and as I will exemplify below, MFA should absolutely be the default for all platforms.
The factors being authenticated in MFA are usually something the user knows (like a password), something the user has (like a phone, a key, or a card), and something the user is (verified through biometrics like fingerprints or voice recognition). The general idea behind MFA is that it makes it harder to impersonate someone and gain access to data or services that legitimately belong to the person being imitated. The benefits should be immediately obvious — if a data breach gives a bad actor access to your account’s password, in a perfect world, they still can’t access your account because they don’t have access to your phone or your fingerprint. Despite not being a perfect solution (there are certainly some examples of MFA being successfully circumvented), there are countless stories where MFA has successfully deterred attackers from compromising accounts.
In the webinar I attended, the hosts (Camille Singleton and Allison Wikoff of the IBM X-force team) specifically discussed ITG18, an Iranian state-sponsored hacking group. Recently, a virtual treasure trove of videos documenting the processes of ITG18 was revealed online, which gave a unique insight to the process of harvesting credentials and compromising accounts (you can read more about it here). In these videos, anytime a threat actor came across an account that had MFA enabled, they would simply pivot to another account or service and move on. In essence, there are so many accounts online that are easy to compromise; therefore, the time and effort it would take to specifically bypass MFA makes the effort unproductive.
Of course, there are some examples of MFA being successfully circumvented. There are some freely-available tools online, like Modlishka, and some hackers have also used “SIM Swapping” (whereby an attacker takes over someone’s cellphone) to receive an account’s SMS text messages. In many cases, these attacks are very specifically focused, meaning an individual is targeted, rather than a large scale attack like a data breach that leaks lists of multiple user accounts and passwords. In other words, it is still very preferable to have some form of MFA enabled, even if someone with the time and resources could potentially circumvent it if they tried long enough.
What does all of this mean, and what are the key takeaways? Well, firstly, as stated previously, you absolutely should enable Multifactor Authentication on any account or service that allows it. A useful resource for this is https://twofactorauth.org/ which lists a bunch of online services and whether or not they have 2FA enabled. Additionally, you should use a third-party MFA app (like Google Authenticator or a password manager that supports it) over SMS-style authenticating, if that account allows for it (if you can’t, it’s still better to use SMS than no MFA at all). For the cybersecurity professional, we should be making MFA the default option with any service, and we need to make the process of using MFA as easy and streamlined as possible — one of the biggest reasons why MFA is often disabled is because it seems complicated to those who aren’t “computer people” or because it interrupts someone’s workflow. Of course, anytime we add an extra layer of security to a process, it will probably slow things down a little, but it’s on us as cybersecurity communicators to highlight the importance and necessity of good security and to find the best ways to integrate it into our usual practices.
What about you? Do you use MFA? Have you had trouble getting others onboard with it? Have you ever run into issues with MFA? Let me know in the comments!