Mutli-factor Authentication

10-minute read
Paul Reardon
Technical Security
Authentication MFA 2FA

Multi-factor authentication requires users to present multiple pieces of evidence, or factors, to verify their identity before accessing an account or system. This approach drastically reduces the risk of unauthorised access, even if one factor is compromised. The most common factors used in MFA fall into three categories:

  1. Something you know : This typically involves a password, PIN, or security questions.
  2. Something you have : This can be a physical token, a smartphone, or a hardware security key.
  3. Something you are : This encompasses biometric factors such as fingerprints, facial recognition, or voice patterns.

Two-Factor Authentication vs MFA Multi-Factor Authentication

The primary difference between MFA (Multi-factor Authentication) and 2FA (Two-Factor Authentication) lies in the number of authentication factors required:

  • 2FA : distinct authentication factors to verify a user’s identity.
  • MFA : Requires two or more distinct authentication factors.

Essentially, 2FA is a specific type of MFA, where the number of factors is limited to two. Where 2FA is limited i.e. entering a Password followed by a one time password send to your phone MFA could also require a fingerprint scan after those two factors. MFA is technically considered to be more secure than 2FA because it allows for the use of additional authentication factors, adding further layers of protection. However, the actual security level depends on the specific factors used and their implementation.

While 2FA offers a significant improvement over single-factor authentication (password only), MFA provides even greater security by requiring multiple distinct factors. The choice between 2FA and MFA depends on the level of security required for a particular system or application.

General Advice on Multi-factor Authentication

  • All accounts should be secured with MFA, in the United Kingdom this is even a regulation (Strong Customer Authentication) that requires this of services.
  • Allow Fallback to less secure methods of MFA, but use techniques such as ‘Step-up’ Authentication if a less secure method is used.

Security of MFA types

The following list is a generalised ranking of common MFA types ranked from least to most secure (There are some additional factors that this does not take into account)

  1. SMS One-time Code : While SMS is the most convenient, there are widely known exploits that make it the least secure secondary factor.
  2. Email One-time Code : While Email is the easiest to configure, transmitting a randomly generated code over the internet has this secondary factor considered one of the less secure ones.
  3. Time-base One-time passwords : Time-base One-time passwords are the first secondary factor in this list that are generally considered secure due to codes not being transmitted over the internet.
  4. Hardware tokens : Hardware Tokens are marginally more secure than Time-base One-time passwords as they are dedicated hardware and are less susceptible to malware.
  5. WebAuthn (FIDO2 / Passkeys) : WebAuthN is the gold standard in this list, cryptographically secured to be significantly harder to attack these are the most secure.

Types of Multi-Factor Authentication

In most setups the password is considered the first factor but there are multiple different options for additional factors, here are some of the most popular and their strengths and weaknesses:

Email One-time Code

One of the most basic and easy to implement additional factors is a one time code sent to the users registered email address, this is usually a good backup when other additional factors are not available.

Advantages

  • Easy to Implement
  • Generally Users will have access to an email address
  • Low cost as there is no need for additional hardware.
  • Most people are familiar with receiving and using codes sent via email, minimising the learning curve.

Disadvantages

  • Not convenient for users (They need to log into they email account)
  • Phishing attacks can trick users into divulging their email credentials or the 2FA code itself.
  • Email delivery can sometimes be delayed, causing inconvenience and potential login failures.
  • Compared to other 2FA methods, email codes are considered less secure as they rely on something the user knows (email credentials), which can be compromised.
  • Having these highly secured relies on the user to ensure that their email security is also high (i.e. secured with MFA)

As an additional attack vector some Authentication solutions allow users to reset their password via email through a “Forgot Password Link”, in this case if the email account is compromised an attacker could reset the password and gain access to the 2FA code as well.

SMS One-time Code

Similar to Email One-time code, but the code is sent via SMS to the users mobile phone, this is usually a good backup when other additional factors are not available.

Advantages

  • Virtually everyone has a mobile phone capable of receiving SMS messages, making it a widely accessible method for implementing MFA.
  • Users are generally familiar with receiving and entering codes from SMS messages, leading to minimal user friction.
  • Unlike hardware tokens or dedicated authenticator apps, SMS-based MFA doesn’t require any extra equipment or software installations.

Disadvantages

  • Compared to other 2FA methods, SMS codes are considered less secure due to SMS not being an encrypted platform and a few well known attack vectors.
  • SMS-based MFA relies on a functioning mobile network, making it unreliable in areas with poor reception or during network outages.
  • More complicated than Email, a SMS provider needs to be engaged (or one per country) to be able to send SMS.
  • More costly than Email as SMS Providers charge per SMS sent meaning the more users log in the more you pay.

Well known Attack Vectors

  • SIM Swapping Attacks : Attackers can potentially trick mobile carriers into transferring a victim’s phone number to a SIM card they control, allowing them to intercept MFA codes.
  • SMS Interception : In some cases, attackers can exploit vulnerabilities in the SS7 (Signaling System 7) protocol used by mobile networks to intercept SMS messages.
  • Malware on Phones : Malware installed on a user’s phone can potentially read incoming SMS messages, including MFA codes.
  • Phishing : Phishing scams can trick users into divulging their MFA codes, even if they haven’t fallen for other tricks to reveal their primary password.

SMS-based MFA is better than relying solely on passwords, offering an additional layer of security that is easy to implement and use. However, its vulnerabilities, particularly the risk of SIM swapping and SMS interception, make it less secure than other MFA methods like authenticator apps or hardware tokens. It is generally recommended to use a more secure MFA method. However, if SMS-based MFA is the only option available, users can take precautions such as enabling SIM lock with their carrier and being wary of phishing attempts.

Time-base One-time passwords

The user uses an authenticator app on their smartphone to generate time-based one-time passwords (TOTPs). This method is considered more secure than SMS-based MFA.

Advantages

  • Generally considered More secure than SMS or Email as they are generated locally and have a short lifespan.
  • They are widely supported by many online services and an open standard meaning that you can choose your TOTP application and not require a different one for each provider.
  • They do not have network dependencies like SMS or Email
  • They are cost effective as they do not require any additional costs for users or service providers.

Disadvantages

  • They rely on users having access to their smartphones, if the devices is lost, stolen, or damaged access to the account may be hindered. (Always allow Backup MFA).
  • In rare cases the devices may becomes out of sync leading to invalid TOTP codes.
  • While TOTPs are resistant to interception, attackers can still use phishing techniques to trick users into revealing their codes or the secrets used to generate them.
  • While rare, vulnerabilities in specific authenticator apps could potentially be exploited by attackers.

TOTPs provide a strong and convenient form of MFA that is widely adopted and relatively easy to use. While they are not completely foolproof, their advantages generally outweigh their disadvantages, making them a popular choice for enhancing online security. Users are advised to choose reputable authenticator apps, keep their devices secure, and enable backup options to mitigate potential risks.

Hardware tokens

Hardware tokens are physical devices that generate one-time codes or use cryptographic keys, offer a distinct set of benefits and drawbacks when used for multi-factor authentication (MFA).

Advantages

  • Hardware tokens are generally considered more secure than software-based methods like SMS or authenticator apps, as they are less susceptible to remote attacks and phishing attempts.
  • Since the codes or cryptographic operations occur within the token itself, they are not transmitted over networks where they can be intercepted.
  • Many hardware tokens function without requiring an internet connection, making them useful in environments with limited connectivity.
  • Unlike smartphones, which may run various apps and potentially contain vulnerabilities, hardware tokens are solely dedicated to authentication, reducing the attack surface.

Disadvantages

  • Hardware tokens can be relatively expensive to purchase and deploy, especially for large organizations with many users.
  • Physical tokens can be lost, stolen, or damaged, potentially leading to account lockout and recovery challenges.
  • Deploying and managing hardware tokens can involve additional logistical and administrative efforts compared to software-based solutions.
  • Carrying and using a physical token can be less convenient than relying on a smartphone or other readily available device.
  • Some hardware tokens may only support specific authentication protocols or may not offer features like push notifications or biometric verification.

Hardware tokens had popularity in the early 2000’s due to a lack of users with smartphones but they are not as widely used anymore, they provide a robust level of security, particularly against remote attacks and phishing. While they involve an upfront cost and can be less convenient than some software-based options, their inherent security benefits make them a valuable choice for organizations prioritizing strong authentication for sensitive data and critical systems.

WebAuthn (FIDO2 / Passkeys)

provides a robust level of security, particularly against remote attacks and phishing. While they involve an upfront cost and can be less convenient than some software-based options, their inherent security benefits make them a valuable choice for organizations prioritizing strong authentication for sensitive data and critical systems.

Advantages

  • Due to the cryptographic nature of the technology (Public key) it is extremely hard to perform a phishing against this method.
  • WebAuthn utilizes public-key cryptography, a robust security mechanism that is resistant to various attacks, including brute-force and man-in-the-middle attacks.
  • WebAuthn enables a passwordless login experience, eliminating the need for users to remember and manage complex passwords, which can be a major vulnerability.
  • Users typically interact with WebAuthn through familiar methods like biometric authentication (fingerprint, facial recognition) or PINs, providing a seamless and convenient experience.
  • WebAuthn is widely supported by most browsers and operating systems

Disadvantages

  • WebAuthn requires a compatible device with a secure hardware module, limiting its use on older or less secure devices.
  • Account recovery can be more complex with WebAuthn compared to traditional password-based systems, requiring users to set up backup methods or rely on service providers’ recovery mechanisms.
  • While WebAuthn adoption is growing, it’s not yet universally supported by all online services and applications.
  • Users may need some initial guidance to understand and adopt WebAuthn, as it differs from traditional password-based authentication.
  • Implementing WebAuthn on the server-side can be more complex than traditional authentication methods, requiring additional development and infrastructure considerations.

WebAuthn represents a significant advancement in MFA, offering enhanced security and a passwordless experience. Its resistance to phishing and strong cryptographic foundation make it a highly attractive option for protecting sensitive accounts and data. While challenges remain with device compatibility and user adoption, WebAuthn is poised to become a leading standard for secure online authentication.

Conclusion

Multi-factor authentication (MFA) stands as a crucial line of defense in the modern digital landscape. By requiring multiple factors to verify a user’s identity, MFA significantly reduces the risk of unauthorised access, even if one factor is compromised.

While the ideal MFA solution may vary based on individual needs and risk tolerance, the evolution of technology continues to offer a diverse range of options, from the ubiquitous SMS and email codes to the more advanced WebAuthn and hardware tokens. As cyber threats become increasingly sophisticated, it’s imperative that individuals and organizations prioritize the adoption of MFA to protect sensitive information and critical systems.

Remember, security is an ongoing process. By staying informed about the latest MFA technologies and best practices, and by carefully evaluating the strengths and weaknesses of different methods, you can make informed decisions to safeguard your digital presence and ensure a safer online experience. Don’t wait for a security breach to occur – take proactive steps to implement MFA today and fortify your defenses against the ever-evolving threat landscape.