MFA stands for Multi-Factor Authentication. Microsoft helps clarify MFA as an additional step in the authentication process, “You need a second thing – what we call a second “factor” – to prove who you are.”
When logging into your online account, you prove who you are with credentials, usually a username and password. Then, you add another security measure, or factor, with MFA.
The key difference between MFA and 2-FA
You may have heard that MFA and 2-FA are interchangeable, but they are not the same.
2-FA stands for Two Factor Authentication. 2-FA and MFA function primarily the same, but 2-FA is limited to two different authentication factors, while MFA can use two or more.
NIST Special Publication 1800-27 identifies MFA as “Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).”
You achieve MFA when you use two or more of the three factors. For example, if you use a password, username, and PIN, you are not using MFA since all three factors fall into the same category of “something you know.” On the other hand, if you use a username, password, and facial biometric scan, you are using MFA. This MFA combination falls into two categories; “something you know” and “something you have.”
Choosing one over the other
Now that we understand the key difference between the two, let us discuss choosing one over the other. More can be better, and in this case, it is. Using MFA on accounts such as your healthcare login portal, your bank account, identity management portals, and the like would be more secure. A login, such as your movie theater portal, can benefit from MFA, but 2-FA would be sufficient if there is no sensitive information. TCMS recommends MFA via an authenticator app in as many places as possible.
Upside of MFA
The upside or benefit of MFA almost always heavily outweighs the downside. It enhances security, deters attackers who look for easy targets, and helps ensure that only authorized users access the information.
Downside of MFA
The downside of MFA stems from inconvenience. It can be inconvenient to the end user, who will always need to present the second factor to gain access to their information. It can also be problematic for those in charge of implementing and administering MFA. An organization’s IT department should be responsible for deploying MFA to all possible company accounts. However, inconvenience should not be a deciding factor when choosing not to implement MFA.
There are various methods of bypassing MFA. The most successful strategy is the least technical one – social engineering. For example, you might receive a phone call from someone claiming to be from your company’s IT department or a well-known vendor. They invent a story, ask you for the code, and they now have access to your account.
Other common ways of bypassing MFA can stem from a misconfiguration within the user’s application or portal. For example, an attacker can brute force MFA codes, log into the application via a protocol that does not require MFA, or even hijack a SIM card and receive a text message MFA code.
Users should never provide their MFA code or password to anyone over the phone ever. Be wary of social engineering attacks.
Do not use push notifications
Even if you use an authenticator app for MFA codes instead of text messages, human-centric vulnerabilities are still present. Users should not use the push notification option in their app due to the risk of a user accidentally tapping the “Accept” or “Approve” button on their device. An attacker can spam the MFA push notification until the user accepts it. The user may be annoyed and want the notifications to stop, or they might think there is some glitch with their account.
Users should always have a recovery plan if access to an account or portal is lost. Many login portals that provide the option to enable MFA will provide backup codes. Save those backup codes somewhere safe, such as a password manager. In addition, some authenticator apps allow you to back up your data if you lose the device that hosts the authenticator app.
If your organization wants to test its security, consider getting a professional pentest. Contact TCM Security for more information, and let us help you secure your organization.
This blog was written by Steven Amador.