Thank you for reading IT Enlightenment for SMBs, a weekly series that provides actionable IT advice & tech tips for your business’s growth and success. These tips stem from over 20 years of providing executive-level IT management to hundreds of small and mid-sized organizations, like yours, in a variety of industries. As the founder and principal of Pagoda Technologies, my purpose is to help business owners secure and streamline their operations, optimizing productivity and cybersecurity so that they can achieve their goals and focus on the work that matters most to them.
I’m glad you’re here and hope these weekly tips are invaluable in informing the success and security of your business. Make sure to subscribe using the button above!
Two-factor authentication (2FA) and multi-factor authentication (MFA) are both ways to add a layer of security to your account access. Rather than just relying on a password to log in, MFA requires one or more extra steps. Typically MFA requires a combination of the following:
There are multiple forms of MFA and while the use of any one of them will make your accounts more secure than only using a password, some versions are more secure than others.
Let’s review how MFA works, the different forms of MFA, and the vulnerabilities of each.
‘Something you have’ forms of MFA
You’re probably familiar with some form of ‘something you have’ MFA. This form includes sending a code via email/SMS, an authenticator app, a hardware authenticator, or a push notification.
Single-use codes via email/SMS
Using email/SMS as part of your MFA method, involves entering a code sent to your email or via text after you enter your password. This is perhaps the most common and familiar form of MFA but also the least secure.
While it does require one extra step to gain access, making it more secure than just a password, our emails aren’t typically the most secure accounts. The primary problem is that people often remain logged into their email accounts. This means that if someone were to gain access to the network, they could easily view all received messages in the email account (or most likely accounts plural) on that network, uncovering the required code.
A 2019 Google/Harris Poll also revealed that nearly two-thirds of those surveyed reuse the same password across multiple accounts.
If you use the same password on multiple accounts, SMS-based MFA becomes especially vulnerable.
This statistic makes using email for MFA highly vulnerable to hackers, especially if you happen to use the same password for email and the account utilizing MFA. When you use a password to login to your email, this also makes the single-use code more of ‘something you know’ than ‘something you have.’ You should always use a combination of two different forms of authentication for optimal security.
SMS or text-based MFA can also be hacked through a practice called SIM swapping. This is where a cybercriminal takes over a phone number, allowing the single-use code to be sent to another phone.
Lastly, MFA that relies on the use of codes is inherently susceptible to social engineering. Unless your entire team is exceptionally adept at spotting phishing and social engineering attacks, they could unknowingly share the code with an unauthorized party. Learn more about the risks of SMS-based MFA in this recent issue of Enlightenment for SMBs.
Authenticator app
An authenticator app also uses a single-use code but with this form of MFA, the code is sent to a secure app. The benefit of this method is that the code isn’t transmitted between the server and the client. The downside is that these apps are not immune to malware attacks. It also still requires a code which is susceptible to social engineering.
Recommended by LinkedIn
Push notification
A push notification works like this: You type in your password and then a notification is “pushed” to your smartphone. It pops up on your screen, prompting you to accept it in order to authenticate access to the account.
This is very convenient but also highly vulnerable to push attacks. Push attacks occur when a cybercriminal already has the username and password to an account. (Unfortunately, gaining access to your username and password may be easier than you think with 15 billion stolen credentials available on the dark web.) They then send multiple push notifications hoping to eventually force the user to click accept in an effort to make the flood of notifications stop.
Hardware authenticator or token
Hardware authentication utilizes a physical token that must be connected to your device to gain access to an account. The tokens often also require the use of a PIN before granting access.
This form of MFA is highly secure as it requires a separate device that is far less susceptible to malware than a Wi-Fi-connected device, like your smartphone. The primary downside to this approach is that should you lose the authenticator, regaining access to an account can be a tedious process.
‘Something you are’ forms of MFA
MFA that utilizes ‘something you are’ to validate your credentials relies on the technology of biometrics.
Biometrics
Biometrics uses physical characteristics, most commonly your face, fingerprint, retina, or voice to identify an individual. Biometrics has been growing in popularity because it’s both convenient and secure. You can’t forget or lose your face or fingerprint nor can it be stolen like a token or other physical device. It can, however, be impersonated or cloned using AI technology to create a deepfake.
The field of biometrics isn’t yet a perfect science, however, and the technology isn’t foolproof. Photos downloaded off the internet can be used to reconstruct a 3D model of your face that is realistic enough to trick facial recognition scanners. Fingerprints can also be cloned, but even with these vulnerabilities, biometrics still proves to be one of the more secure MFA options.
Passwordless authentication: something you are + something you have
Perhaps the most secure approach to MFA is doing away with a password or single-use code altogether. This approach is referred to as passwordless authentication and works by only using a combination of something you are and something you have. Phishing and social engineering attacks rely on tricking the target into revealing something they know, such as a password, single-use code, or a security question. By completely eliminating the need for something you know, you also reduce the risk of these types of attacks.
Which form of MFA is most secure?
To recap, using a combination of something you are (biometrics) and something you have (preferably a form of authentication hardware) is the more secure form of MFA. Passwords are too often weak and reused across multiple accounts to be reliably secure and single-use codes are too vulnerable to interception.
It's important to stress, however, that using any form of 2FA or MFA can still decrease your risk of a data breach or cyberattack.
Missed last week’s IT advice & tech tips for business success? Read last week’s edition here and be sure to subscribe.
We publish a new blog post on our website on the 1st and 3rd Thursday of the month. These posts tend to be more in-depth than our weekly series, so make sure to visit our website and subscribe to our monthly newsletter to keep your business highly-informed.
Ready to talk about how Pagoda Technologies can provide you with an IT service partner at an affordable, flat monthly rate? Let’s connect and get you on the calendar for your free consultation.
