Community News csm21 Security

Why you should use Multi-Factor Authentication (MFA) as much as possible

By Andrea Pinzani, GARR-CERT

Remote-working: digital identities are at risk!

Due to the pandemic, homeworking has become a thing all around the world. This offers a number of advantages, but poses new challenges also in terms of security. With the dramatic increase in the number of remote-workers, cybercrimes targeting end-users have also risen  – with particular focus on digital identities. Moreover, we are progressively moving personal information in the cloud because it is oh so convenient, but it is important to make sure our data is secure.

Passwords are fragile things

Nowadays passwords are the most widespread method of authentication, but unfortunately they aren’t a strong one. This is because we humans are not good at devising strong passwords, in fact those we produce are too simple and short, predictable and often reused to access more than one service.

The number of passwords that are compromised due to phishing or data breaches is rising. According to a recent report, more than 80% of data breaches exploit stolen credentials, thus creating a sort of cascading effect.

We always have to bear in mind that any other security measures we can take, as antiviruses, firewalls etc, become completely ineffectual in the face of an illegal access through legitimate, but stolen credentials.

When access only requires a user id and a password, we are using single-factor authentication.

MFA – Multi-Factor Authentication

To make the authentication process stronger we can use MFA, i.e. provide multiple authentication factors instead of one. The assumption is that it is improbable that an unauthorised actor can obtain all the factors needed for granting access to the service in question. A MFA scheme includes a combination of some of the following factors:

  • Something the user knows: password, PIN, etc.
  • Something the user owns: mobile phone, security key, etc.
  • Something the user is (biometrics): fingerprint, voice, face, etc.

2FA – two-factor authentication

The simpler and more widely used form of MFA is two-factor authentication. An example of 2FA is cash machine withdrawal: only the correct combination of a bank card (that the user owns) and a PIN (that the user knows) allows to complete the transaction.

For online services, in most cases the first factor is a password, while the second is a one-time code that expires after some time has elapsed (Time-Based One-Time Password, TOTP) of 6 or 8 digits, that the user obtains through a device they own, typically a smartphone. In this way, an attacker who steals the user’s password won’t be able to access without the device.

Home banking services foresee 2FA by regulation, but nowadays the websites of all major internet players, and many more offer it. However, user-activated 2FA are still relatively rare. For instance, Twitter has revealed that only 2,3% of all active accounts has enabled an 2FA method between July and December 2020.

Common types of 2FA

e-mail verification. When the user attempts to access the service, an automated email message is sent with a TOTP code or a link to confirm that the login is legitimate.

Voice messages or SMS. When the user attempts to access the service, a TOTP is sent to the user’s smartphone, via SMS or automated call. A variation of this technique foresees that the user accesses a website via their username and password, and then a code is visualised that the user will insert in their smartphone after calling a dedicated toll-free number.

Push notifications. A push notification is sent directly to a secure app on the user’s device, to notify that an attempt to access the service is ongoing: the user can approve or deny access. This technique requires an internet data connection.

Software tokens / Authentication apps. The user installs an authentication app on their device (smartphone or pc). Users insert their user id and password and then access the app to obtain a TOTP passcode and complete the access. Google Authenticator, Microsoft Authenticator and Twilio Authy are among the most popular authentication apps; some password managers like 1Password and LastPass offer 2FA too. Apple introduced a integrated 2FA passcode generator in iOS 15, iPadOS 15 and macOS Monterey. Applications visualise a code that is updated every 30 seconds, and is constantly synchronised with each associated service. This technique does not require an internet data connection.

Hardware tokens. in this category we find physical devices that can be classified according to their type:

  • Disconnected Tokens. This type of device generally uses a small integrated display showing a numeric code that the user will insert manually. The home banking system in Europe has discontinued this kind of device and adopted apps instead.
  • Connected Tokens. This device needs to be connected to a computer or a smartphone and transfers authentication data automatically. Examples are smartcards and USB tokens, but Bluetooth and NFC are also used. The latest version are security keys, that adopt the FIDO U2F (Fast Identity Online – Universal Second Factor) protocol. These devices represent an univocal token and need to be registered on the service that the user wants to protect. The FIDO2 version can allow to access without user and password, or replace the password with a second FIDO security key. Security keys can be used also for logging in Windows and Apple OS X systems.

Biometrics. Biometric authentication is more and more available on devices. In this kind of authentication, users themselves act as tokens. It is the simplest and more intuitive authentication method and many experts believe that the future of 2FA lies with this technology.

Unfortunately, though, it is not yet a perfect technology and sometimes systems struggle to confirm correspondences. However we can be confident that this process will soon become faster and more effective. Iris scan technologies are also generating high expectations among experts.

How can we enable 2FA with authentication apps?

Once installed the selected app, we will need to access all accounts we intend to protect, there is no single procedure for all services. In the configuration of the user profile, find the “privacy” or “security” settings and enable the available 2FA option. In many cases, reading a QR code is required to couple the authentication to the site. The code can be scanned more than once, so it is important to save it in a secure place or print it.

The services offering 2FA generally also offer one-time backup codes, that should be printed and stored in a safe place as they are the main method to avoid being locked-out from one’s account in case for some reason the authentication app can’t be accessed.

It is also important to enable security notices, if available: they will notify when a login attempt is performed or other events related to our account.

Some 2FA simplify access, for instance by offering the possibility to avoid providing the second factor after one or more successfully completed authentications from the same trusted browser or device.

Enabling and using 2FA requires a relatively small effort from the user’s part: just compare that to the problems and damages the loss of access to your account can cause. Felons count on your negligence in protecting your data!.

Not all 2FA factors are the same – vulnerabilities and disadvantages

2FA is not magic, but in any case it enhances security and the probability of access being compromised is relatively low. Any form of 2FA is preferable to password-only authentication.

e-mail verification. It’s the less secure form of 2FA, as hackers can snatch your mailbox password or some malware can read your email on local folders.

Voice messages or SMS. An attacker can readdress and read SMS by:

  • inducing users to install some malware on their devices
  • hacking the mobile network (SS7 protocol vulnerability)
  • through social engineering, by pretending to be the user and inducing the telephone operator to transfer the target’s phone number to a SIM in their possession (SIM-swap). Mobile operators are anyway making this harder by improving their security procedures.

Disadvantages

  • This method requires an active internet connection.
  • Some people are uncomfortable to share their phone number: there is a privacy risk and some companies have abused this opportunity to send unwanted advertisements.

Software Tokens / Authentication apps. Apps are more secure than SMS as they avoid SIM-swap risks, but in 2020 a new malware was found that could steal 2FA codes from Google Authenticator.

Phishing. An attacker can create a malicious site mimicking the original one, and send a fake message that invites the user to connect. If the user takes the bite, the attacker can obtain user name, password and authentication code. Or via a fake SMS (smishing) or voice call (vishing), an hacker can impersonate your home banking service and, ask you to confirm your identity by reading the code that you have just received. Even if TOTP passcodes make way more difficult to perform successful attacks, you should never share them with anyone.

Hardware tokens. Security keys are the most secure form of 2FA, and integrate protection measures and they include integrated protections from phishing and MITM (Man-in-the-Middle) attacks. The information is archived on a hardware device and can’t be duplicated, unless the device is physically tampered with.

The main disadvantage of this method is the need to bring the physical token with us, and misplacing, losing or having the device stolen are practical risks. Also, security keys are relatively costly.

Password reset. Password reset can work as a way to violate 2FA because it “bypasses” it. A solution can be to use one form of 2FA for the normal access, and a second combination of 2FA for password reset.

Despite the problems we reviewed, combining password authentication with authentication apps is the best and most widely used solution for personal use. It only adds a few seconds to the authentication time, is for free and greatly improves your security online. If you’re not using it already, it’s time to upgrade!


About the author

Andrea Pinzani

Andrea Pinzani is an IT security expert at the Consortium GARR. Since 1999 he has been working at GARR-CERT (cert.garr.it). He reports and manages IT security incidents, publishes security alerts on the most common vulnerabilities, provides support and training to users in the field of cybersecurity and is also dedicated to the study and analysis of cyber intelligence sources for operational data protection purposes.

 

Also this year GÉANT joins the European Cyber Security Month, with the 'Cyber ​​Hero @ Home' campaign. Read articles from cyber security experts within our community and download resources from our awareness package on https://dev.connect.geant.org/csm2021