The Evolution of MFA: Beyond SMS and Email
Multi-factor authentication (MFA) has been used by computer administrators since at least the 1980s. Regular people started using it in the mid-1990s when banking systems began to roll this out. It was pretty clunky; those key fobs were not small! And since I mentioned MFA as one road to greater security in my recent post on passwordless technologies, I thought a quick refresher might be in order.
Today’s MFA
MFA looks much different than it did thirty years ago. MFA requires at least two out of these three options:
- something you have
- something you are
- something you know
In practice, that has taken the form of everything from an SMS message to an iris scanner and more. As it turns out, not all MFA options have stood the test of time when it comes to better security. Depending on what you’re protecting, you might need to get more discerning when it comes to what techniques you use for MFA.
The Phishing Threat to MFA
Phishing is the biggest threat to MFA’s ability to solve all the world’s authentication problems. One definition of phishing is:
A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person. (U.S. NIST Glossary)
Phishing is when someone tricks you into clicking on a link that either takes you to or is part of a website that looks a LOT like a legit thing. It will likely pass your username and password on to the actual site and put up a page to collect the code received via SMS or email. At that point, the hacker (or, more to the point, their program) usually has 10-15 minutes to use the username, password, and code to get into the site and do things. Most likely, they’ll change your settings so the account has a different recovery email, a new phone number, and a new password.
Jerks.
Better Options
So, what else is there if there are better ideas than an SMS message or, heavens forbid, an email? The answers fall into three categories: biometrics, app-based authenticators, and FIDO-based authenticators. Which one you choose depends on the criticality assigned to what’s being protected.
Biometrics
Biometrics cover the “something you are” option of MFA. These can be anything from fingerprints, facial recognition, iris recognition, and voice recognition. This was a relatively reliable option, though accessibility issues are a problem. However, with the age of AI and deep fakes dawning, not all biometric options are equally secure. According to Cybersecurity Magazine, facial recognition is at the most risk, though voice recognition is not far behind. Fingerprints are better off, but not without their own challenges.
There are ways to make biometric recognition more robust. The evolution of attack and response, however, means attack mitigation is always a moving target.
App-based Authenticators
Another option that will fill the “something you have” option is an app-based authenticator. There are several out there, like Authy or Google Authenticator. Many of these apps use something called TOTP. This Time-based One Time Password functionality generates a number that changes, as you might guess from the name, over some (short) period of time. Several password managers (you use a password manager, right?), like 1Password, include a TOTP code, too. (I admit, I’m not sure about storing my password with my second factor, but that’s just me.)
If you are using a TOTP-based authenticator, then you need to be on top of getting that code out of the app and into the authentication screen. I often delay responding to the MFA challenge if it looks like my authenticator app only has under 10 seconds left for that number.
FIDO2-based MFA
Now for the gold standard of authenticators: FIDO2! This MFA option puts phishing resistance as part of its core design. Go, team!
The FIDO Alliance is the source of the FIDO2 family of specifications, including WebAuthn. FIDO2-compliant authenticators can use dedicated hardware tokens or mobile devices (like your phone). To use that token or the key stored on your mobile device, though, you need a biometric or a PIN. Combined with a traditional password step, this takes us from two-factor authentication (2FA) to multi-factor authentication.
Passkeys
If you read my last post about passwordless authentication, you may be thinking that FIDO2-based MFA and passkeys sound similar. And, in fact, you would not be wrong! In many cases, you can just use a passkey and have 2FA, which is enough for many situations.
Passkeys are not perfect; there are new threat models that implementors need to consider before they roll out support for passkeys willy-nilly. However, they are still arguably better than passwords.
Wrap Up
I believe some form of MFA is better than none. That said, I also worry that it lulls people into a false sense of security. How risky is it for you personally if your account is hacked? How risky is it for your organization if your systems are compromised? What data will be exposed? If you don’t have time to understand those gory details, the only real option is to require a stronger form of MFA so you don’t have to worry about that. There are always plenty of other things to worry about.
And if you are an end-user, you may not have a choice of the quality of the MFA you get to use. In that case, something is better than nothing! If you work for a company with an IT department and the need for people to log in remotely (including your customers), then you really need to make MFA a priority. And when you do, make sure you do it properly with a phishing-resistant option.
I love to receive comments and suggestions on how to improve my posts! Feel free to comment here, on social media, or whatever platform you’re using to read my posts! And if you have questions, go check out Heatherbot and chat with AI-me.
