Multifactor authentication is not new; however, we’re entering a time where it is finally being widely adopted. Multifactor authentication (MFA) is a simple, convenient and effective mechanism for stopping hackers in their tracks. So for this post, let’s talk the value of multifactor (often called two-factor) and some of the MFA options out there.
When you log into your email or Facebook account, you are prompted for your username/email and password login. And sometimes, you hear stories of a hacker getting a hold of someone’s credentials and accessing their account. When you throw MFA into the equation, you now require a secondary code or extra method to gain access to that account. So, if a hacker does obtain your credentials and attempts to break into your accounts, they’d still need that extra step to access your account. Most services these days, from social media sites to banking apps, allow you to turn on MFA, if you look into the settings menu of your accounts.
One of the most common, but a bit out-dated, methods for receiving an authentication code is to register your phone number with the respective service you are attempting to secure. In doing so, any time there is a login into your account (using your credentials), the access will be halted until that person also enters the code that was texted to your phone. This effective because it requires the hacker to have access to your phone, to retrieve that code. Otherwise, the attacker will be stopped in their tracks, with no way to access your account, unless they have to secret code that was texted to your phone.
While still used on many services, SMS two-factor is considered an outdated method due to vulnerabilities found with SS7, the protocol that our phones use to send texts.
Most major tech and gaming companies have proprietary authenticator apps. Instead of receiving the secret code via text, it’s broadcast to your phone via an encrypted channel. Then, all you have to do is retrieve that code from the app and enter it. Again, this would require an attacker to have access to your phone to gain access. So if a malicious actor on the other side of the world gets your credentials, they’re still not going to be able to access your account. This is far more secure that utilizing the SMS method.
This method is quickly gaining popularity and widespread adoption. Tokens are physical keys that resemble tiny USB drives. YubiKeys are popular example. The key stores the encryption algorithm used to generate the secret code you need to log in. These keys also activate with a simple tap. So, once you enter your username and password, you simply insert the key into your USB port and tap it. The process makes tokens the hardest to crack of the three methods mentioned in this post because your encryption key that is physical, on a physical key that you are holding, meaning the attacker has to have physical access to your token. Major corporations, such as Google and Amazon, employ these keys for their employee-base and critical systems, as well. Hardware tokens are becoming very cheap and viable options for the average consumer. Varieties also include smart cards that contain encrypted certificates on them, similar to what the Department of Defense uses.
The outlined methods are not rare, by any means. I urge everyone to spend an hour over the weekend, sifting through all of their online accounts (social media, financial accounts, work accounts, etc). I suspect that everyone will be pleasantly surprised to find that most information systems are ready to integrate with these effective MFA solutions.
Let’s keep hackers out of our hair, permanently.
Updated: January 2019