Nowadays, in the pursuit of security, passwords alone just don’t cut it. Like we saw in our previous article, hackers often target credentials in their attacks. And as the Verizon report in that article showed, up to 90% of breaches occur because of weak or stolen passwords! Authentication – password security – needs to change. Because of this, security researchers continuously develop or suggest new ways to protect user accounts. One of the most popular suggestions for strengthening authentication is multi-factor authentication. In this physician’s guide to multi-factor authentication (MFA), we’ll define MFA and discuss several common ways to implement it.
The Basics of MFA
In security, you can authenticate yourself to a service via one of three ways: what you know, what you have, and what you are. In the most basic security models, we only rely on “what you know” – also known as a password. Multi-factor authentication adds one more component to this – what you have (a hardware token, a one-time password) or what you are (biometric authentication like fingerprint scanning).
We as security professionals assume that a motivated attacker can always know what you know. I.e., if you have a password, an attacker could steal it. If you use personal information in a security question, an attacker could look that same info up online. If you use a PIN, an attacker could guess it based on common PIN choice patterns (people love using family birthdays or anniversaries as PINs). No matter how esoteric the knowledge, a motivated attacker could reasonably find or guess it. As a result, we can’t solely rely on “what you know” to authenticate someone. We’ll need something else.
That leaves us with “what you have” and “what you are”. Most organizations don’t use “what you are” for multiple reasons. You can’t normally revoke or change a fingerprint or eye scan. If someone steals the encoded form of that, it’s compromised for life. Relatedly, you can’t change your fingerprint like you can a password, which may lead to unintentional credential sharing between services. Attackers can also trick biometric tools. A 2017 study found that an attacker can fool up to two-thirds of fingerprint-based authentication devices with as little as five faked fingerprints. Finally, biometric solutions cost a lot and don’t often work as intended.
That leaves us with “what you have” as a second layer of security. We’ll outline the basics below.
Essentially, when setting this up, you’ll have to give the service your phone number. When logging into the service again, you’ll get a text with a code. If you input the code successfully, you’ll get access. Service providers love this, as nowadays everyone has a phone with texting capabilities. Even better, the user doesn’t need to install any app or software to enroll, leading to an increase in user satisfaction.
However, SMS-based MFA has multiple weaknesses, making it less than ideal as a form of MFA. Most people consider their phone number private information and don’t want to disclose it to everyone who asks. Other sites, like Facebook, may unethically use your phone number for advertising or search capabilities, as opposed to just for authentication. Finally, using a popular attack called “SIM swapping” means that attackers can steal your phone number and all the texts and calls that go with it. Once they have your phone number, they can intercept all the SMS MFA texts and get access to any account that uses it. Most security experts consider SMS MFA broken and don’t recommend its use.
Authenticator apps take SMA MFA one step further. When you sign up for MFA of this type, the service will show you a QR code. Scanning this image with an app like Google Authenticator or Authy will cause the app to start producing a secret code at set intervals (commonly every 30 seconds). This code relies on the open-standard TOTP (Time-based One Time Password) technology to generate that code. When you log into the service again, you’ll need to present the code your app generates along with your username and password. The system knows how to generate the code as well and will follow the same algorithm to generate another code. If the codes match, the service will let you in.
This form of MFA works much better than texting, but still comes with some risks. If you lose your phone and didn’t save your backup keys, you can’t get into the service. You also sacrifice convenience since you’ll need to open up a new application and type in a code each time you want to authenticate. In general though, this method provides enough security for most purposes.
This method works by downloading and configuring an app, just like above. The app sends you a push notification notifying you of an authentication attempt. It provides some useful information like the operating system used and the location of the attempt. You can then either approve or deny the request by tapping the relevant button. Examples include Apple Trusted Devices or Duo Push. This method improves on authentication apps and SMS messages by making the process more convenient. Instead of typing in a code, you only need to tap “approve” or “deny” for it to work. It also shows you where the login attempt came from, which can quickly tell you of a suspected hacking attempt if you’re not in that location. However, this requires continuous Internet connectivity, while the authenticator apps don’t.
Most vendors build hardware tokens on the FIDO U2F or WebAuthn standards. They work by registering the device as per the site’s requirements. When you try to authenticate, you normally need to swipe, scan, or insert the hardware token. That’s it, the rest happens under the hood! No input codes or anything required!
Most security experts prefer hardware over software tokens due to the built-in security features. Hardware tokens prevent phishing attacks since part of the MFA request from the service authenticates the service to the token. The token won’t reply if it doesn’t recognize the site. Further, we can use the same hardware token on multiple sites, and the generation of per-site identities means no one can tell what other sites also use your token. That ensures privacy withour sacrificing convenience.
As always, no security tool comes without its issues. Besides the standard risks of device loss, not many services support hardware token authentication. The standards are relatively new, so developers have not had a chance to build related functionality. Hardware tokens usually cost money as well, with the “industry-standard” tokens costing up to $45 each.
So What’s Best?
In our opinion, hardware tokens offer the ideal blend of security and usability overall. If you can deal with the costs, we’ll always recommend them first. We’re also okay with recommending either push-based or authenticator app-based MFA methods. We recommend avoiding SMS-based MFA unless you have no choice – weak MFA beats no MFA every time.
Interesting in using multi-factor authentication to protect your practice? Get in touch and we’ll help you design, implement, and maintain a solution that fits your needs.