Securing your account is more important than ever. But don't take our word for it. Just look at the fact that data breaches rose by a shocking 68% last year.
A secure account is one that makes use of the right types of authentication. In this day and age, a password alone is not enough. You need multi-factor authentication (MFA).
Multi-factor authentication makes it far more difficult for a bad actor to compromise an account. With how much a security breach can cost, it's a small measure to avoid digital catastrophe. But not all MFA is equal.
For National Cybersecurity Month, we're going back to our roots and discussing cybersecurity basics. In this episode of cybersecurity 101, we're covering multi-factor authentication. Keep reading for everything you need to know.
National Cybersecurity Month Basics: What Is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) is an extra layer of security included during the login process.
If you've spent any time online, there's a good chance you've heard of two-factor authentication (2FA). There's little difference between these two terms. 2FA requires two forms of authentication, while MFA can require 2 or more.
The Problem With Passwords
A password is usually the first form of authentication. However, passwords are flawed by design. They're a static string of information that anyone can steal and use.
Passwords are often short, making them susceptible to a brute-force attack. A standard desktop computer could crack a 9-character password in as little as 2 hours. The time to crack a password is even shorter when the password includes words or phrases.
Further, employees often fall victim to phishing emails. Despite the best efforts of an IT team, a convincing email could sway an employee to divulge credentials. It only takes the login info of one unwitting employee to compromise your network.
Further, the storage methods for passwords are not all equal. Some websites commit the digital faux pas of storing passwords in plain text. That, or they do not use the proper encryption methods.
It's not enough to expect companies to use the best security practices. Until zero-trust security becomes the norm, password-only authentication is a liability for the integrity of your network.
MFA serves as a solution to all this. It introduces another hurdle in the login process, a hurdle that will dissuade all but the most tenacious hackers. For high-security accounts, you can force employees to use more authentication methods.
Benefits of Multi-Factor Authentication
The benefit is clear: even if a hacker obtains your password, they won't be able to gain access to your account. Regardless, you should do everything in your power to have a strong password.
MFA comes in many shapes and forms. There are digital multi-factor authentication methods and physical ones.
Some are less secure than others. Some are more convenient, but come with important caveats.
That means you can choose whichever authentication method works best for your organization. Those with a higher threat level can choose a more sophisticated MFA if necessary.
MFA doesn't require much work on your behalf, either. It adds a few seconds at best to the login process. In turn, you increase your security tenfold.
Let's discuss the many different types of MFA, their advantages, and their respective weaknesses. No matter which method of MFA you choose, it's better than having no MFA at all.
1. One-Time Password (OTP)
A one-time password, as the name implies, is a limited-time password that expires after a single use. You use a different OTP for subsequent logins. In some cases, an organization may require an OTP for every login, even on a recognized device.
Support for OTP is growing for many companies. However, it's less common than competing options like SMS and email authentication. Despite this lack of popularity, OTP is among the strongest authentication methods on this list.
The most common form of OTP comes in the form of an authenticator app. Google Authenticator is perhaps the most popular authenticator app on the market. However, there are many other options, including open-source options for privacy enthusiasts.
How to Use OTP
OTP requires downloading an authenticator app first. You'll need to navigate to your account settings and locate the option to enable MFA or 2FA. Your account provider should then generate a QR code.
After you scan this code, your authenticator app will start producing codes. the provider may ask for you to enter the code that appears.
Authenticator apps generate a new 6-digit code every 30 seconds. You need to enter this code before the 30-second timer runs out.
Advantages and Disadvantages of OTP
OTP is a very strong method of authentication. This is because it presents a considerable impediment to bad actors. In order to obtain your OTP codes, they would need to steal and compromise your mobile device.
The authenticator app itself can be behind several walls of security itself. There may be biometrics or a pin code to unlock the phone. Many OPT apps require a biometric or pin code unlock to access them, too.
That said, OTP is a bit more involved. You have to type the code in fast, and if you miss the 30-second window, you have to wait to try again. OTP also requires that you keep your cell phone on hand any time you need to log in.
There is also a risk, however, slight, that someone steals your mobile device. Even biometrics are not impervious to hacking. Depending on the implementation, a hacker could access your device with ease.
2. A Proprietary Authenticator App
An authenticator app for a specific company is one of the most secure types of cybersecurity authentication. A perfect example of this is the Microsoft Authenticator app. Companies store sensitive documents in Office 365, so using their proprietary authenticator keeps those documents safe.
How to Use Proprietary Authenticator Apps
Using Microsoft Authenticator as an example, these apps provide a number of possible ways to access your account.
For starters, they can simply send an "approve/deny" notification to your phone anytime someone attempts to log in. Or, they can provide a unique OTP that you enter in place of your normal password. A proprietary authenticator app may also require biometrics to authenticate a login.
Advantages and Disadvantages of a Proprietary Authenticator App
As far as digital authentication methods go, this is perhaps the strongest. Rather than just having an OTP code, the authenticator requires full account access in the first place.
The same disadvantages apply as OTP apply here. If you don't have your mobile device on hand, you cannot log in. If someone steals your mobile device, there is a small risk they could hack it and access all your accounts.
3. Email and SMS
These are the most common forms of MFA and 2FA. When you log in, the provider sends an email or text message with a login code. You need to provide this code within the following minutes to gain access.
These are the easiest forms of MFA to use. You just need to wait for the message to arrive.
Advantages and Disadvantages of Email and SMS
As we've mentioned earlier, any form of MFA is better than none at all. Email and SMS are convenient, requiring minimal effort on the user's part.
However, this is the least secure method of MFA, particularly for SMS messages. Hackers have long since been able to spoof your phone number and receive your text messages.
Email might be a bit stronger, but hackers can still compromise email accounts. You should prioritize email over SMS--assuming your email has a strong password and MFA itself. For optimal cyber safety, we advise that you avoid SMS at all costs.
|Related Reading: Introduction to Email Security
4. Biometrics: Facial Identification, Fingerprint, and Voice
Facial identification has caught on as the easiest method of biometrics. As long as the camera has a clear view of the user with good lighting, verification is almost instant. While the strongest implementations like Apple's Face ID are not impervious, they are difficult to hack.
Facial identification works great for mobile devices, but it's less common on desktop computers. This is because it requires a dedicated IR-enabled camera with depth sensors. Windows Hello, while a solid desktop face unlock solution, is not compatible with the majority of webcams.
Fingerprint reading can be just as fast as facial identification. This tends to be a more mobile-oriented option, though. Many enterprise-grade laptops do feature a fingerprint reader, but it's less common.
Voice recognition is the least common of all biometric unlock options. AI makes it easy to clone a voice and make it say whatever you want--including an unlock phrase.
Advantages and Disadvantages of Biometrics
Biometrics are often the easiest form of authentication. You have access to biometrics at all times. There's no need to carry around a secondary device.
They're also more convenient that OTP or SMS codes. They're perfect for an organization where employees use mobile devices as their main source of MFA.
On the whole, biometrics tend to be more difficult to hack. While it's not impossible to crack them, they often require bad actors to steal your device. The hacker would then need to use sophisticated methods to trick your device.
The exponential improvements with AI will make biometrics weaker in the coming years. Deepfakes, fingerprint copies, and cloned voices all pose a threat to this method. However, AI will likely help to identify these false attempts as well.
5. Physical Device Authentication: A FIDO Security Key, RFID Keycard, or NFC-Enabled Device
A physical device is the gold standard for MFA cybersecurity. This usually comes in the form of a Yubico USB security key, RFID card, or NFC-enabled mobile device. It's very difficult for a hacker to compromise a physical key, compared to the above options.
Security keys are relatively easy to use. When prompted, you insert or tap the key. Authentication is near instant.
Advantages and Disadvantages of Physical Device Authentication
Physical devices are a very strong form of MFA. However, they do come with what could be considered a massive flaw for some. If someone steals your key, they might gain access to your account.
FIDO is notoriously difficult to clone, even if someone does steal it. Assuming you have a strong password, a hacker won't be able to access your account. Provided you take good care of your FIDO key to prevent theft, it's a strong security option.
In the case of RFID, someone only needs to get close to you to clone an RFID badge. With NFC, these risks are mitigated to an extent. If a hacker succeeded in unlocking your device, then you run into the same issue as with authenticator apps.
Like with authenticator apps, you need this physical device whenever you wish to log in. If you lose it, that could make it very difficult to regain access to your account.
Physical keys are great since they are very difficult to spoof without stealing them. If you implement physical keys in your organization, you need to be sure employees will treat them with great care. Attaching them to a keyring that you leave out on your desk, for example, is poor security conduct.
Improve Your Organization's Security Posture
For National Cybersecurity Month, we invite you to strengthen your employees' credentials with multi-factor authentication. It provides a needed layer of security so you don't rely on passwords alone. There are many different types of authentication to choose from, giving you cybersecurity options for any use case.
Stronger passwords and MFA are just the beginning. Your organization can benefit from a complete, all-inclusive security solution. That security solution is XDR (extended detection and response).
Check out BitLyft today for the next-gen XDR that will secure your network from top to bottom.