Two-Factor and Multi-Factor Authentication – A False Sense of Security

    Two-Factor and Multi-Factor Authentication – A False Sense of Security

    John Bassett | CTO

    Entering User ID and Passwords has been the de facto standard in computers for many decades now.   However, most of us are aware that IDs and Passwords have become easily hacked, and with creative phishing attempts, rather simple for the hacker teams to obtain your credentials. Enter, Two Factor Authentication (2FA) and Multi-factor authentication (MFA).

    These two technologies add an extra level of protection to your accounts, which is particularly necessary with any online accounts.  Nefarious attacks against government agencies, companies, and individuals are increasing with no signs of cybercrime reductions.  Fortunately, most online services and company VPN solutions allow for the addition of 2FA, MFA, or even the adaptive MFA to combat data breaches, weak passwords, and phishing attacks.

    The concept of 2FA and MFA is to require you to provide more than just your user ID and password.  MFA refers to requiring multiple forms of evidence of who you are to an authentication mechanism.  The textbook definition is to present at least two of the following categories: knowledge (something you know, such as your ATM Pin; possession (something you have, like your ATM card), and inherence (something you are, such as fingerprints).

    2FA and MFA are not all that different.  2FA is a form of MFA and most security stops there.  It is possible to have 3FA and 4FA, but it becomes impractical to implement and most hackers will just figure out how to bypass those forms somehow.  The good news is that a user ID/Password, coupled with 2FA or MFA make it much harder to crack accounts.

    However, nothing is infallible, and some forms of authentication are more secure than others.  In our example above, we mentioned an ATM.  To get into your account, you have to have a card and a PIN.  This is reasonably secure.   However, a PIN sent to your cell phone, via SMS or even voice is much easier to crack.   The reason is that cell phone numbers can be changed and routed to a hacker’s phone.  You may have to trick someone at a phone provider call center to give you SIM data, but that occurs daily. It requires a lot of work from the hacker, but if they really want in, they can get in.

    Hardware tokens are much harder to trick and can get expensive.  Most companies have replaced hardware tokens with software tokens, which provide a similar solution for low to zero cost.  Solutions such as DUO Authenticator, Google Authenticator, and Microsoft Authenticator are current examples.  The good news is that app-based 2FA tools are available for mobile devices, wearables, and desktop/server platforms.

    In summary, having 2FA/MFA is more secure than not having it.   If you have a choice, it's more secure to use an authenticator versus SMS.