Multi-factor authentication – is your data protected?

October 21, 2015

It often occurs in the aftermath of a severe data breach that cyber-security analysts talk about the attacked system as not being secured enough, because it did not use multi-factor authentication.

Abbreviated MFA, multi-factor authentication is actually 2FA in most of the cases: two-factor authentication. Even so, it is regarded as a very efficient security method for enterprises, institutions, agencies and whatever entities are really conscious about their cyber data. For example, Federal Government systems are required by the IT regulatory standards to mandatory employ MFA for all sensitive resources. Of course, SMBs and individual users also benefit from this method and using MFA builds trust between business partners because it further secures data exchange and collaboration.

MFAs sprung from the precedents created by cyber-attacks and their main purpose is reducing such future risks. In the classic one-factor authentication, all the passwords were stored in databases, and those databases are vulnerable themselves. Having a MFA reduces the both interest and the chances of system/database hacking. There is no use for cyber-criminals to steal your password data since it would provide them only halfway access into the system, and the system itself is better protected since only sophisticated attacks could threaten the variable MFA login method.

What does multi-factor authentication involve?

MFA systems require more than one authentication methods in several separate authentication stages. The user must present successive credentials from independent categories in order to validate his/hers identity and log into the system.

The most common patterns for MFA are:

  • Presenting an access card, then entering a PIN code;
  • Password login followed by entering an instantly-issued second one-time password (OTP), that the user gets via email or SMS (the same pattern is used in VPN MFA login: the first login enables getting the credentials for the second login, via a different medium);
  • 3FA may consist in a succession of login methods, such as an access card, fingerprint/ retina scan (inherence or biometric factors), and a security question;
  • Using a personalized device (security token) in order to generate the one-time password (OTP) for system login.

The main types of factors used to determine system identity are:

  • Knowledge factors (passwords, PINs, answers to security questions);
  • Possession factors (security tokens or access cards);
  • Inherence factors (all biometric factors, such as fingerprints, voice, retina ID etc).

Of course that sophisticated identity theft attacks can be deployed that aim at completely spoofing system identity – their preliminary target would be the key individual whose role in the organization would provide valuable access to the database. The system is not invulnerable, but the risks are considerably lower than in traditional one-factor authentication. For such attacks to be successful, the hackers use special techniques, such as skillful social engineering – but we will approach that in another post.

Reasons to upgrade to multi-factor authentication

MFA is gradually turning into a good practices standard. It can even make the difference in choosing a business partner – people check its security compliance and tend to trust more those who show higher cyber-security awareness. Here you may check a list of banking, cloud computing and other functionalities websites and their MFA status, for example.

Most MFA providers ensure that their service is simple to setup and use, and that users can easily manage their own devices.

Scalability would be another motivational factor – the offered protection integrates the on-premises system with the cloud and other apps and extends over all the needed data locations.

Accessibility translates into combining the authentication methods as best suited, according to the devices your employees use: smartphone calls, text messaging, mobile app notifications and so on. Usually when setting up a MFA method the first step consist in laying down all the client specifications: what data needs to be secured, where is the said data located, where are the users located and how will these users connect to the system.

Regaining control: with all the connectivity inherent to the cyber environment, the BYOD trend and the synchronization between various devices, it is sometimes hard to keep track of entry points and times into the system, but time and location alerts can be incorporated into MFA. Credit card companies already apply the location alert when the usual pattern in customer usage is disrupted. Behavioral profiles are more or less included in multiple authentication – when there are repetitive daily processes involved, each user develops its personal timing and reaction chain. It is not always that this extra protection layer is capitalized, but it is nevertheless present and utilizable.

Limitations in the multi-factor authentication protection

There are weak points in any security defense system and some of them can be exploited for MFA as well. Although by employing MFA a company has already left the target position when it comes for many of the common hacking groups, the remaining high-end attackers are always stretching out their capabilities.

An example of multi-factor authentication overpowering is account recovery. When requested, account recovery completely bypasses MFA without actually checking whether the original data was really lost or not. This issue was demonstrated with a Google account by a Duo Security team, and you can see the details in their article.

Another case of defeating MFA (actually in both these cases it was two-factor authentication, not multi-factor, but nevertheless, both demos are instructional), consists in using the iDict hacking tool to bypass 2FA and access any Apple iCloud account. By using a password dictionary, the tool practically run a PHP code with 500 words in the local browser – and managed to access the accounts.

As we already mentioned, both examples are in reference to 2FA and pave the way for a stronger multiple-factor authentication, starting from three factors up.

As many envisage the future of authentication at its intersection with biometrics, it is only natural that at least one of the minimum three factors would be biometric, an inherent factor such as fingerprints, face or voice structure or even behavior patterns.

Therefore, the limitations are actually concerning the incipient MFA structure currently used, rather than the entire authentication paradigm of separate combined factors serving one single login. Once the MFA will really grow into its own definition and take various forms, its vulnerabilities would decrease or at least considerably change type.

Future MFA Challenges

Let’s consider MasterCard’s multi-factor authentication option of using selfies as one of the factors. Using facial recognition software, the method makes sure that the user’s identity valid. Real-time confirmation of the online actions is theoretically ensured – but many scenarios may occur where the person’s biometric authentication is not by his/hers free will.

When it comes to highly sensitive data, this potential vulnerability is not negligible. How can a biometric recognition software detect the free will when it comes to the person that logs into a system? There are studies that try to determine a recognizable link between facial dynamics and free choice/free will (you can check as an example a book edited by MIT Press here, or another work from Indiana University on formal models in face recognition that considers the free-choice tasks vs forced-choice ones issue – here.) The question has been raised and it is currently researched.

Other challenges may as well appear at each new step into stronger multi-factor authentication methods. Predictable or not, these would only improve cyber-security once overcome. Nevertheless, using MFA to protect your data is by far a better method than single factor authentication. When implementing 2FA or MFA, your data becomes better protected from cyber-attacks.