Strong Multi-Factor Authentication (MFA):
The Ultimate Guide

What is authentication?

 
Before we can understand multi-factor authentication, it’s essential to understand the basics of authentication.
 
Authentication verifies the identity of a user or process. As we’ve previously discussed, you can find many types of authentication in your daily life, from entering your birth date at the doctor’s office to presenting your driver’s license for confirmation of your identity.
 
There are three main types of authentication, and each has its own variability in terms of accuracy and strength.

• Something you know
• Something you have
• Something you are

 

Something you know

 
This category of authentication includes items that you memorize or remember. They could be a password, passphrase, or personal identification number (PIN).
 

Something you have

 
This category encompasses something separate that you possess. It could be an RSA token, an authenticator app, or a Yubikey.
 

Something you are

 
This category includes something related to you, and only you, as a person. It could be your fingerprint, a retinal scan, or facial recognition.
 

What is multi-factor authentication, and how does it work?

 
Multi-factor authentication (MFA) is a security measure for a login or transaction that requires multiple authentication methods to verify a user’s identity. Ideally, it combines two different methods of authentication.
 

Think about it.
 
If someone stole your debit card and tried to withdraw money from your account, they would need to know your PIN (something you know) in addition to inserting the card into the ATM (something you have). If you didn’t have a PIN associated with your account, anyone who took your debit card could go to an ATM and empty your savings. The PIN creates an additional layer of security to verify that it’s really you and prevent the wrong person from accessing your financial information.
 
Already, you’re using MFA every day (and if your debit card doesn’t have a PIN associated with it, consider rectifying that).
 
Another instance of MFA you may be familiar with combines two methods— a passphrase (something you know) and an authenticator app (something you have). In this scenario, your passphrase is static and only changes when you update it. However, viewing a code in your authenticator app is not static; typically, these codes are rolling and time-based that update every 30-60 seconds. At that specific moment in time, you should be the only person able to authenticate because you are the only one with the registered authenticator app and associated code.

Just as there are different types of authentication, there are different categories of MFA—and they are not all created equal.
 
Each type of MFA will typically fall into one of three categories: code-based authentication (such as text messages or authenticator apps), push-based authentication, and hardware token authentication. Some forms provide a higher level of security than others and are better suited for your needs. Let’s explore each of these categories and associated types in more detail.
 

What are the main categories of MFA?

 
MFA has three main categories: hardware token authentication, code-based authentication, and push-based authentication.
 
Hardware token authentication uses FIDO or U2F authentication and is currently the strongest form of MFA. It involves a hardware token that you plug into your device, like a YubiKey, or a hardware token with a rolling code that you enter manually. Some hardware tokens are vulnerable to social engineering attacks, especially if they involve manually entered codes. However, tokens like the YubiKey are much harder to breach.
 
Code-based authentication relies on a One-Time Passcode (OTP) either sent to or generated by your device. While code-based MFA is often easy to implement, it is not foolproof. Attackers can leverage social engineering to trick you into sharing these codes through common phishing scams unbeknownst to you. Additionally, text message-based two factor authentication is vulnerable to common threats such as SIM swapping, in which an attacker temporarily gains access to your phone number to steal two-factor authentication codes.
 
Push-based authentication consists of a push notification sent to your mobile device for your approval by pressing a button or entering a short code to continue. This MFA method is often more convenient, but can come at the cost of some security. Attackers have previously spammed this push notification (also known as an MFA fatigue attack) in the hopes that a frustrated user will hit “Approve” to stop the requests.
 

What are some specific types of MFA?

 
Keep reading to discover specific types of MFA, ranked from strongest to weakest.
 

Physical token/manual code entry

 
Physical tokens and manual MFA processes lie at the highest end of the security spectrum because they are the hardest to defeat. They rely on transcribing something from one system to another. Most importantly, these two systems are not integrated, which makes it difficult for an attacker to exploit without using a social attack.
 
One type of physical token or U2F (Universal 2nd Factor) is a YubiKey, which is hardware that you plug into your device. These hardware tokens implement common FIDO protocols to provide very secure authentication. When you want to log in, you press a button instructing the YubiKey to send a signed message to the service you are logging into. The code validates your true identity because your YubiKey is unique to you. Most importantly, U2F or FIDO-compatible devices verify the website you are logging into by design and will block accidental sign-in attempts to phishing websites. This significantly reduces the likelihood of your accounts being compromised in social engineering attacks.
 
Though this is the strongest form of MFA, it’s important to note that physical tokens aren’t always supported on all devices or platforms. There are also hardware costs to consider, and your token could get lost or stolen, so a backup device is often required.
 
Other physical tokens have rolling codes you can enter manually, such as an RSA token. Unlike the YubiKey, these types of tokens are susceptible to social engineering attacks. An attacker could pose as someone from a reputable organization and ask the user for the code.
 
If hardware tokens cannot be used, an alternative method of MFA is manual code entry from an authenticator app because it requires a physical method of action—typing in a code. There is no blind approval with this method, like with push notification-based MFA. Also called TOTP (Time-based One-Time Passcodes), you’ve likely seen this type of MFA if you use Google Authenticator. This method is commonly used and easy to implement; there is no associated hardware cost. However, like physical tokens with rolling codes, there is the potential that attackers could gain access to your code via social engineering tactics.
 

Partial code entry with push notification

 
This type of MFA also ranks higher in terms of security. With this type of MFA, you receive a push notification with a short code to approve your login. Your login only works if you can access the code, which should be visible to only you. Consequently, it is very difficult to intercept this from a technical perspective. In some ways, this method is easier for users because they don’t have to search for each code on their authenticator app or physical token.
 
While this method is typically convenient for users, it is not completely resistant to social engineering in which an attacker requests the code from the user.
 

Push notifications

 
In the spectrum of MFA, push notifications fall largely in the middle. In this scenario, users receive a prompt asking if they’re trying to log in. If they are, they approve the login, but if not, they reject it to prevent the login from continuing. Although it is less interceptable than other forms of MFA and easy for users to implement, it is subject to targeted abuse by attackers.
 
In what is otherwise known as an MFA fatigue attack, attackers send multiple push attempts in the hopes that you will click to allow the sign-in. Attackers leveraged this technique when initially gaining access in the widely publicized Uber breach. In this instance, attackers guessed a password and spammed MFA push notifications to an Uber employee. They then socially engineered the user by claiming to be a member of Uber’s IT staff and sent many requests until one was accepted.
 
Push notification-based MFA can also be compromised based on a user’s daily routine and muscle memory. If an attacker guesses a user’s password and figures out the time they usually log in to their systems for the day, they can exploit this to access accounts. The individual might be so used to accepting the push notification at that time of day that they accept it without thinking twice.
 
Never accept a push notification that is sent at random without you having taken direct login action first. If you notice a random push notification, speak with your IT team to notify them of the suspicious activity. When in doubt, take action and change your password to be safe.
 
To protect against MFA fatigue and other push-based attacks, we recommend configuring push-based number-matching if available or utilizing a more secure form of MFA.
 

Receiving a code via SMS or email

 
Although receiving codes via SMS or email are common forms of MFA, they are interceptable and weaker than other methods. It’s important to note that SMS is not encrypted and is subject to some form of interception at the carrier level for motivated attackers. More commonly, if someone wanted to intercept your SMS messages, they could execute what is known as a SIM swap attack, where they would likely need an insider at a mobile phone provider to help. This type of attack is not uncommon for higher-profile individuals or those seen as valuable targets to attackers.
 
Email-based multi-factor authentication allows an attacker who compromised an email account the ability to both reset the password for an account and receive the second-factor authentication of other services. Both SMS and email forms of MFA are susceptible to social engineering tactics, and more secure methods should be used when possible.
 

Receiving a code via phone

 
Phone-based MFA differs from SMS MFA because it involves receiving a phone call and pressing a button or responding yes. This type of MFA ranks on the lowest end of the security spectrum and should be avoided. It leaves too much possibility for social engineering and user confusion regarding prompt approvals, lowering its security.
 

MFA serves as a safety net during authentication to validate a user’s true identity. It provides an additional layer of security for accounts and can also indicate if a password has been compromised.
 

For instance, receiving a random push notification that wasn’t in direct response to an action you took may be a sign that your password has been guessed. If an attacker guesses a poorly constructed password, or even a strong one, the MFA prompt will be the only barrier between them and access to the information system they are trying to log into.

 

Do I need MFA for every account?

 

In today’s world, MFA is necessary for all of your public-facing accounts, even the ones you don’t think are worth anything. This includes email clients and ERP, CRM, LOB, and VPN systems. If it is externally accessible by your staff or the attackers, it should be protected.
 

According to a survey by Beyond Identity, 75% of respondents considered MFA annoying, but 65% responded that it prevented an account from being compromised. Although users have experienced frustrations with MFA, such as being unable to make purchases, protecting your accounts is better for your data and information security in the long run.
 

Any account can be useful to an attacker in some way. Remember that CEOs are the number one targets and certainly need MFA for their systems

 

Do I still need a strong password if I have MFA enabled?

 

In short, yes.
 

A strong password complements MFA but doesn’t eliminate the need. You’ll want to have both in place for an enhanced security posture.
 

MFA is the last line of defense protecting your accounts; don’t create weak passwords and assume MFA will secure your data. It’s better to build a strong security defense with hard-to-guess passphrases and enabled MFA.

Though we’ve described how MFA is critical to protect the security of your data, it’s important to remember that it’s not foolproof. There are still ways for attackers to obtain your method of MFA and gain access to your accounts.
 

For the higher-security MFA methods, though, it’s important to note that social attacks are the primary method used to bypass them. It’s more difficult to breach these methods from a technical perspective.

 

Social-centric attacks

 
Social-centric attacks are types of cyber attacks that utilize social engineering. Social engineering is a process of psychological manipulation that bad actors use to trick users into making security blunders or giving away sensitive information.
 

Take this example.
 

Let’s say an attacker guesses your banking password accurately. Now, they would just need your MFA code to access your account. If they want to obtain that code, they may call you, say they are from your bank, and ask you for that code to validate your account. You might provide them with the code if you don’t know any better. After all, you assume they’re from your bank and are here to help.
 

“People-pleasing” also comes into play here. If someone of assumed authority asks for something, it can be difficult to say no because you don’t want to cause any issues.
 

You should never provide your MFA code to anyone under any circumstances. Organizations like the IRS will never call you and ask you to validate any information over the phone.

 

 

MFA fatigue attacks

 

Another scenario where MFA could be breached is an instance known as MFA fatigue attacks.
 

As we saw with the Uber breach, some attackers will spam MFA prompts (especially push notifications) and hope the user blindly accepts or purposely accepts one to make the prompts stop. 62% of users have experienced an MFA fatigue attack.
 

To combat this, some, but not all, authentication methods will lock your account if you try to log in and authenticate more than three or four times in a row. Keep this in mind when you’re choosing which type of MFA platform to pursue.
 

If it can happen at a large organization like Uber, it can certainly happen at your business.

 

 

How can I protect my accounts from these attacks?

 

One security control that can secure your accounts is Risk-Based Authentication (RBA), which is designed to protect organizations and users based on UEBA (User Editing Behavior Analytics) even when MFA fails. These systems consider many different factors relevant to a user’s general behavior to decide whether the login or access request is legitimate. These factors can include user ID, password, device familiarity, location, IP address, login trends, and usage context. If too many of these conditions are not met, the system may block the login and require additional means of authentication or temporarily lock your account.
 

For example, if a user is attempting to log in on an unfamiliar device and access unauthorized systems, all outside of normal working hours, it may be deemed as suspicious activity. In this case, artificial intelligence (AI) determines that the user is behaving unusually based on previous behavior. If the current behavior doesn’t match the trends of usual behavior, it may flag the activity and prevent the attempted action.
 

While risk-based analysis helps protect accounts, it’s important to know that these systems are typically implemented by service providers, which means there is nothing for you to do in most cases. However, you can watch for notifications from these services (such as Google) and take appropriate action if you notice any suspicious activity notifications.
 

If you do receive one of these notifications, don’t click on any links in the email. Simply type in the company’s website and log in to your account normally to change your password. Attackers often use these types of alerts in phishing messages to trick unsuspecting users.