Passwords to accompany a log in for access to a website or account was considered a security measure that would keep folks out who had no business getting in. But then criminals started to figure out that the passwords were weak and easily guessed or cracked. So along comes two-factor (2FA) and multi-factor (MFA) authentication to help secure accounts. Authentication is a process of validating a user’s identify. Authentication methods include:
- Something you know: password, PIN
- Something you have: mobile phone, hardware token, one-time passcode (OTP)
- Something you are: biometrics like fingerprint or voice recognition
2FA involves two factors to identify the user. The password would serve as the first part. The second factor could be a text message sent to your mobile phone. MFA involves two or more factors in order to authenticate. 2FA is considered a subset of MFA.
The more layers you apply, the more secure you will be. But don’t think that this will make you bulletproof.
Cybercriminals have effectively used methods to bypass the MFA process.
- MFA bombing assumes that the crook already has the user’s password. Then a series of push notifications will be sent to the user, hoping that the user will inadvertently accecpt the request.
- Social engineering techniques, such as phishing, can still assist an attacker with success in bypassing MFA.
- Main-in-the-middle attacks (MitM) can be used as well. Allowing the attacker to intercept communications between two parties and steal credentials and MFA tokens.
Push notifications and hardware tokens are more secure ways to use MFA. Passwordless MFA, based on FIDO standards, is considered the best recommendation for phishing-resistant authentication. Although miscreants will continue to use their nefarious resources to thwart your defenses, MFA should be implemented and is an added security layer.