Multi-Factor Authentication: How It Helps You Stay Safe Online and How to Use It

Featured article David Bisson

Have you ever considered how much money an organization spends on cybersecurity? Some research suggests that cybersecurity costs tally upwards of $123 billion across the globe. Regardless of whether this figure is accurate, the total is significant, and despite such heavy investment, it still seems that one of the greatest weaknesses in cybersecurity is the implementation of password security.

Why is this so?

Part of the problem is the number of passwords that users now need to keep track of. In November 2021, for instance, Tech.co covered a report that put this number at 100. It’s a big jump over the 80 passwords that users needed to remember in 2020.

Employees can’t remember so many unique password combinations without the help of something like a password manager. To make things easier for themselves, many employees respond by reusing the same password or close variations of it across multiple web accounts. Help Net Security wrote that 54% of employees engage in this practice, with 22% of individuals keeping track of their passwords by writing them down.

Given the frequency of password reuse, it is no wonder that hacking techniques such as credential stuffing are so common and so effective. In a credential stuffing attack, a criminal uses known username and password combinations (such as those exposed in a data breach) to attempt to log into a user’s online accounts across multiple web services. Malicious actors can thereby leverage credential stuffing to gain access to an organization’s systems and data. Credential stuffing can be part of attacks against accounts, infrastructure, APIs, and other data exfiltration targets.

Defending Against Credential Stuffing with Multi-Factor Authentication

One method for reducing the effectiveness of credential stuffing is to use multi-factor authentication (MFA).

An MFA scheme involves requiring a user to supply additional factors of authentication as part of a login process. For instance, after supplying what they know (such as a password), the authentication scheme might require them to provide something that they have (such as a login prompt sent to their mobile device) or something that they are (such as a fingerprint) before they can access their account. In this way, MFA helps to protect access to an authorized account—even in instances where malicious actors compromise the corresponding username and password.

Using Multi-Factor Authentication

Most manufacturers of multi-factor authentication products offer multiple ways to complete the login process, ranging from more secure methods such as authenticator apps and hardware tokens to less secure approaches like verification codes sent via SMS-based text messages. In most cases, all that is required is the installation of a free authenticator application on a smartphone to generate the required login code.

The way that the MFA process works is simple. The typical login screen is presented, and after a username and password are submitted, the server performs the usual verification of the login information. If that is successful, the multi-factor authentication process activates. The scheme first checks to see if the person is registered in the system and what method of MFA the person prefers. If the person is registered in the system, then the preferred MFA challenge is sent, and the MFA process awaits a correct response before proceeding with the login. An incorrect or lack of response results in a timeout failure. A successful response completes the login process.

Many of the more robust multi-factor authentication systems include a mechanism for the possibility of more than one person requiring access to an account. For example, from a business continuity perspective, a business account should not be the responsibility of a single individual. Similarly, most MFA systems also include a secondary method to authenticate in case the primary method is unavailable such as when a smart phone is lost or otherwise inoperable.

MFA is Not Foolproof

It would be wonderful to imagine that MFA is a foolproof technology. However, that is never the case with any technology. Cybercriminals have created crafty methods to convince people to reveal multi-factor authentication codes that are issued via text messages. The success of these methods is one reason that text messages are considered the least secure of all MFA options.

There are other ways to circumvent MFA schemes. For instance, a proficient social engineer could use vishing techniques to convince a person into reading the verification codes issued by an authenticator app over the phone. Alternatively, attackers could send a person a link to a website masquerading as a legitimate service such as a bank or healthcare portal. When the visitor enters their MFA authentication code on the fake website, that code is surreptitiously sent to the criminal to use to complete the login process on the official site prior to timeout.

When one considers that criminals can undermine MFA with some effort, it makes it all the more important for organizations to take a multi-layered approach to security – across account security, API security, network security, and other vital programs. As an example, security teams can use Identity and Access Management (IAM) as part of a zero-trust model to continually verify and revalidate authorized users on an ongoing basis. They also need to make sure they have measures in place for detecting instances of account takeover (ATO). Those measures might include behavioral analytics, solutions which can provide insight into abnormal activity involving authorized accounts, within API and other security programs that tap network segmentation and access controls for preventing users from accessing resources that are outside the scope of their duties.

About the Author: David Bisson is an information security writer and security junkie. He’s a contributing editor to IBM’s Security Intelligence and Tripwire’s The State of Security Blog, and he’s a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space