Multi-factor authentication (MFA) is a security control that requires users to possess at least two unique forms of identification in order to gain access to accounts and services; for example, a password, combined with a fingerprint scan or one-time passcode (OTP).
MFA is hugely important security tool for stopping account compromise. If your password is stolen or compromised in a phishing scam, MFA makes sure there is a second line of defence between a hacker and your valuable data – a moat around your castle walls.
Credential compromise is now the most common type of cyber-crime and accounts for 20% of all data breaches – with an average cost of $4.37 million USD.
MFA is not a new concept – it’s been around for years in banking. Taking out cash at an ATM requires MFA; you need to know your PIN and have your credit card in hand in order to make a transaction.
Unfortunately, as MFA has become more popular for our digital accounts and services, hackers are becoming more innovative in looking for ways to breach MFA.
Expert Insights has consistently recommended organizations of all sizes to implement multi-factor authentication. But, as the US Cybersecurity & Infrastructure Security Agency (CISA) has recently stated: “not all forms of MFA are equally secure.”
In this article, we’ll take a look at the most common methods of multi-factor authentication to have in place and explore which method you should look to implement.
What Are The Most Secure Methods Of MFA?
FIDO/WebAuthn Authentication
FIDO (Fast Identity Online) authentication is rated by CISA as the most secure form of multi-factor authentication because it is completely resistant to phishing and password scams.
With FIDO, standard public-key cryptography is used to secure the authentication process. When a user registers with an online account, the local device (such as your smartphone) creates a pair of keys. One key is kept on the local device, while the other is stored on the online service.
When the user logs into the account in future, they must verify they are the true owner of the device. This often happens via a biometric check on a smart-device, or using a FIDO-supported hardware token. When this check is passed, the private key on the local device is matched with the online public key, and access to the service granted.
This is far more secure than other methods of authentication as it removes the password from the equation entirely. There are no one-time passcodes or push notifications which, therefore, reduces the opportunities for your accounts to be accessed. Attackers would need to compromise your local device, and have your physical hardware token or biometric data to gain access to the account.
FIDO was developed as a free, open-source authentication method by the FIDO alliance, a consortium of leading technology companies including Microsoft, Apple and Google. These companies have heavily invested in FIDO technologies for their own MFA products, and FIDO, as a result, has become an industry-wide standard for authentication technologies.
Can FIDO Be Bypassed?
Unfortunately, despite FIDO being the most secure form of MFA available, no security tool is completely infallible. If a hacker really wanted to get past FIDO, there are tactics that can be used. These include advanced malware solutions which could compromise the private key stored on your local device (known as token-theft attacks) or complex ways to bypass biometric controls.
For the vast majority of phishing-based scams, however, FIDO-based authentication will be highly effective at protecting accounts against compromise. A hacker would need to have particularly advanced capabilities to effectively carry out a successful attack on a FIDO-based solution.
What Other Methods Of MFA Are There?
Application-Based Authentication
App-based authentication is an increasingly common method of implementing MFA, especially in the consumer space. Most applications and services today support this type of authentication to verify user identities and reduce the risk of account compromise.
With app-based authentication, a user registers their account on a third-party MFA application, such as Duo, Ping Identity, Microsoft Authenticator or Google Authenticator. These applications are available on smartphone or laptop devices. This device is then classed as “a trusted device” and can be used to verify ownership of the registered account.
Each time a user logs into a registered service using their username and password, it will ask for a code (OTP or TOTP), which will be generated in this application. Alternatively, it will send a push notification to the application.
To access this code or accept the notification, the user must verify their identity with a biometric check on the device, or by entering their phone password. Once confirmed, they are then able to log into the service.
How Secure Is Application-Based Authentication?
CISA ranks this as the second most secure of authentication. It is more secure than SMS and email-based authentication, but it is more vulnerable than FIDO. There are a couple of reasons for this.
Firstly, a password is still used in the authentication process. This means the account is vulnerable to password-based scams which allows the attacker to get to the MFA stage.
Secondly, this method is vulnerable to phishing and social engineering scams. If a push notification is used to allow access, scammers are able to spam requests until the user accepts. You might have read reports that describe MFA fatigue – this is what happens when a user becomes overwhelmed with the number of notifications, and accepts, if only to stop the spam. This is also known as push-bombing or notification spamming attacks.
This scenario reportedly was reportedly the cause of a recent breach on ride-sharing firm Uber. An employee was reportedly tricked by a scammer into allowing them to add an unknown device to their authenticator application. With this device accepted, the scammer (who had previously cracked the employees’ passwords) could access all of the employee’s corporate accounts.
One important way to get around this is the use of number matching. This adds an extra step into the authentication process by requiring the end user to input a series of numbers displayed by the requested service, into the authenticator application before a request is made.
This prevents notification spamming, as the hacker would need to give the end user these numbers and ask them to input them on their local device, before a request could be made. Number matching has recently been recommended by multiple leading authentication apps, including Microsoft and Duo.
You can read more about push bombing and number matching in our guide to MFA Bypass here: MFA Bypass Attacks: How Do They Work, And How Can You Avoid Them?
SMS-Based Authentication & Email-Based Authentication
One of the most common methods of multi-factor authentication used today is SMS- and email-based authentication. It is also, by far, the least secure method.
For this method, a user must supply a cell-number or email address to a service. When logging into the account, a short code (OTP) is then sent via SMS or via email. This verifies that the person logging in has access to that account.
Weaknesses Of SMS authentication
This method verifies that the person logging in has access to the SMS number or email address assigned to the user. If a hacker is able to compromise your email password, or clone your SIM card, as well as the account password they will be able to access the account with ease. While this may sound technical to someone who is not a hacker, it is relatively simple for this to happen.
SMS- and email-based authentication is undoubtedly more secure than using just a password. But it is not as strong as app-based authentication, or FIDO based authentication. CISA defines this as a “last resort” method of multi-factor authentication.
Our Recommendation
MFA has become increasingly widespread over the past several years. According to a survey conducted by Duo in 2017, just 28% of people used MFA. In 2021, that number had jumped to 78%. Unfortunately, in the business world, adoption continues to be low, with Microsoft reporting MFA adoption rates of only 22% for their enterprise customers.
In this context, any method of MFA is better than no method of MFA. In your security strategy, it is not worth worrying about more complex attack methods attacks until you have MFA in place.
As Microsoft’s Director of Identity Security told Expert Insights in a recent interview: “Until you fix the MFA problem, you might as well not worry because it’s like you have the barn door open and you’re worrying about how good the lock is on the side door. It doesn’t matter.”
However, with that said, if you are implementing MFA, you should ensure it adheres to strong security standards. This provides further protection against phishing scams and account compromise and helps to ensure compliance in regulated industries.
As CISA, FIDO-based authentication is the most secure, widely accessible, and available method of multi-factor authentication around today, and we therefore recommend organizations consider an authentication solution which supports FIDO standards.
Choosing an authentication solution will also depend on the complex needs of your organization and users. To help you decide which solution is the best fit for your organization, you can read our guide to the top 11 multi-factor authentication solutions here.
