Better Authentication Options in 2022
Some of you may have seen the recent news about “0ktapus,” a sophisticated phishing effort that targeted more than a hundred major companies. This attack attempted to compromise corporate accounts with fake login pages that would capture both passwords and MFA (multi-factor authentication) codes, allowing attackers one-time access to accounts with MFA enabled if they used the codes within the handful of seconds where they were valid.
In light of this alarming news, this week, we’re going to briefly review which types of MFA tokens are most secure. Up next, we’ll talk about other tips and strategies for improving the security of your MFA-protected accounts.
In brief, MFA refers to systems that require more than one type of authentication to access. Typically, this means entering a password and doing a second thing, such as clicking a link in a recovery email, entering a code you were texted, choosing “approve” on a notification on your phone, or physically connecting a device to your computer.
Not all MFA options are not all equally secure.
5. The worst MFA option is no MFA at all.
If only some of the options below are possible for you, it is still better to choose the strongest option your account provider supports than to have no MFA option on your account. Not having MFA makes accounts much, much easier for hackers to take over, and enabling MFA is one of the basic internet security steps we recommend to everyone.
MFA emails or sign-in verification emails are the second-worst option, often timing out in ten minutes or more – and making it easier for someone who has broken into one email account of yours to take over other accounts. If you must use email, for instance, for an electronic medical record or banking system, it is best to use an email account that is itself protected with one of the stronger MFA options.
SMS (recovery text messages) are the third-best MFA option. They typically time out slower than hardware or software TOTP (Time-based One-Time Password) options. More alarmingly, depending on your cellphone provider and location, they may be easy to intercept compared to dedicated hardware or software tokens. Compared to email, though, taking over or intercepting text messages directed to your phone number is fairly difficult and expensive.
Physical hardware tokens are the second-best MFA option. Their weaknesses are about practicality more than security. Something like a smart card, Yubikey, or other specialized physical token that stores your TOTP MFA token is very, very hard for anybody else to access – but it can be tricky for you to access, too, because this type of token can be expensive to buy and easy to lose or damage.
1. Smartphone Apps
Using a smartphone app from a major company such as Microsoft or Google means that you can acknowledge a notification instead of typing, creating a smoother and more pleasant user experience. Importantly, it is very uncommon for most people to forget or lose their phones compared to their hardware tokens. Software-based tokens of this kind are very, very difficult to compromise in most cases. We’ll talk about exceptions and caveats to this next time.
Thank you for reading! If you have more questions about MFA or account security in 2022, please don’t hesitate to contact Deep Core Data, and be sure to tune in later this month for more information about securing MFA.