Using username and password for securing access to websites has been a standard practice for years. In today’s world password alone may not provide adequate security and leave your business at risk. Some common reasons why passwords are inadequate are
- Brute force attacks has been at much stronger now. With modern hardware and techniques, a cyber attackers have power to try billions of password combination per second.
- Poor password hygiene by users. Users tend to choose weak passwords, reuse passwords across sites etc.
- A password database breach can expose significant information if passwords are not properly hashed and salted.
What is MFA ?
Multi-factor authentication is a security system which requires users to provide at least two separate piece of evidences to grant access to a system. These evidences can be of following types :
- Knowledge (Something they know like password/pin)
- Possession (Something the posses like a mobile phone/card)
- Inherance (Something they are like biometric information such as fingerprint, iris scan)
It is important that the two factors belong to different categories. One of the most common example of MFA is withdrawing money from an ATM machine. In order to withdraw money you need to have the ATM card (possession) and know the PIN (knowledge).
Different ways to implement MFA
There are many ways to implement multi-factor authentication. One of the most common technique is to login using username/password as the first factor and a one time password (OTP) sent to the user via different means as second factor. This OTP will be valid for a short time. Lets have a looks as some common ways to implement second factor.
SMS based OTP
User can receive the OTP via SMS message. This is one of the most widely used mechanism. This has an advantage that the user does not need a smart phone or an internet connection. Through its still widely used, there are a number of exploits which we’ve seen in the wild that degrade the security of the channel. SMS channels are non encrypted and can be easily intercepted. NIST has recommended SMS OTP mechanism to be ‘deprecated’ and not to be used as only mechanism for new setups due to security concerns.
Voice call based OTP
Voice calls based OTPs or confirmations are also used as second factor. Voice is prioritized on carrier networks and gives the greater reliability. Intercepting voice lines may be harder than SMS but can still be tapped.
Email based OTP
Emails can also be used as a medium for delivering the OTP. It’s not great two factor, for a couple of reasons. The user is very likely to read email on the same machine they log onto your service with, but that’s also a problem with SMS a lot of the time. And of course email is a very insecure channel.
TOTP (Timed based OTP) via soft token or hard token devices
These are rotating passcodes seeded by an application. The time based OTP is generated separately on server and client app using same algorithm and key using current time as a factor. As long as a device’s time is synced, they will even work offline. Key advantage with TOTP is that they are generated on client device instead of being delivered which make it less susceptible to attacks. This requires a custom application on client side.
With this approach a push notification is sent to user’s device where user can respond by pressing accept or reject. Push creates a direct, mutually-authenticated, securely encrypted channel between the trusted 2nd-factor device and the authentication service. This is most secured as the communication channel is encrypted which makes is resilient against man-in-middle attacks. This also requires custom application on client side.
Key security concerns with MFA
MFA is not a silver bullet to completely secure your business. It comes along with its own challenges. Some of challenges/vulnerability with MFA are as below.
Encrypted delivery channel
If the second factor delivery channel is not encrypted, it can be intercepted. SMS channels can be intercepted by privileged users, or by compromising SMS logs. Voice too can be tapped. TOTPs, regardless of whether they are soft tokens or hard tokens, are generated on a trusted device instead of being delivered, so they are generally not susceptible. Push uses a encrypted communication channel which makes it safe against such attacks.
Rogue apps stealing codes
Some or most of the applications on the phone can read SMS. If a rogue app is installed, codes sent to the device can be captured and sent on to the hacker, without needing physical access to the phone. Voice, TOTP, push mechanism are not vulnerable to this issue.
Phishing is the biggest and most prevalent vulnerability with MFA solutions today, and all one-time password solutions are vulnerable. Push authentication methods eliminate this type of attack.
Man in the Middle
SMS messages appear in logs, and both SMS and Voice can be redirected by people with privileged access to telecom infrastructure like the SS7 system. TOTP and push-notification are not vulnerable to this type of attack.
No security system is perfect but as a common security principle of defense in depth, Multi Factor Authentication can play an important role to provide another level of security. This is much better than having only password based security. If there is a password breach or compromise, your user’s data will still be safe if you have multi factor authentication in place. This will increase users trust in your business. I would say, a multi-factor authentication is a must have in your website if your website uses username/password for user authentication. Out of different options for second factor, push authentication and TOTPs are more secured MFA options compared to SMS, voice or email based OTPs.