Additional authentication and security controls
MFA is a method of verifying a user’s identity by requiring them to present more than one piece of information. By combining multiple layers of security, MFA decreases the chances of compromised online access to an account.
What are authentication factors?
Authentication factors are different ways of proving identity. There are three different categories of authentication factors:
- Something you know (knowledge): Passwords, PINs, answers to pre-selected security questions
- Something you are (being or inheritance): Face recognition, fingerprint scan, voice recognition
- Something you have (possession): SMS codes, one-time passwords, smart cards, ATM cards, mobile phones, key fobs:
Figure 1.6 – Authentication factors
As can be seen in Figure 1.7, the three different authentication factors can be used individually, or combined, as part of the same authentication process. The process of combining two different factor types in the same authentication process is called 2FA or MFA. The process of combining three or more different categories of authentication factors used in the same authentication process is called MFA.
To be considered 2FA or MFA, the authentication factors should be from different categories.
Most websites use a username and password combination to verify users’ identities. Some will attempt to increase security and require an answer to a security question as well. This is not MFA. Even though the user provided two factors to authenticate (password and answer to security questions), the second factor is also from the knowledge category. This is considered a two-step authentication process but a single factor.
Going back to our ATM example, MFA enhances security because it requires the hacker to obtain the two factors of authentication before being able to access your money. If your wallet is stolen or you lose your ATM card, the person that has your card cannot use it without knowing the pin as well. Similarly, if someone shoulder surfs (steals your PIN by spying over your shoulder as you use an ATM) and can use your PIN, they still don’t have the ATM card needed to complete the transaction.
Most free email providers, such as Gmail, Outlook, iCloud, and Yahoo!, provide some form of 2FA:
Figure 1.7 – Gmail 2-Step Verification confirmation
As we discuss MFA throughout this book, it is important to consider the needs of the organization and the types of users that are going to be using the systems. An authentication system needs to balance its security needs with the usability and risks of the application being accessed.
In certain industries and the government, special standards and regulations may also require (or prohibit) the use of different types of MFA systems.
https://2fa.directory/us/ provides a list of websites for different industries and whether or not they support 2FA and is a good place to look to see what your competition is doing in this area.
Criminals can obtain user credentials in different ways. For example, they can buy user credentials on the dark web, try brute-force attacks, or use social engineering methods.
Another problem with passwords is that users reuse passwords across many different sites; they may share passwords with their colleagues. They may also write the passwords on post-it notes and attach them to their monitor at work or home.
All these issues make using passwords as the single method to identify users a significant security risk for companies.
If passwords are not enough, what else can organizations do? MFA, or at least 2FA, is the most common solution. Google, in their latest Hacking Google series, states “Add 2FA to your account, and we do the rest regarding security.” Microsoft says that 99.9% of identity attacks can be blocked by MFA (https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/).
On the other hand, MFA overuse may cause customers to choose to move to a friendlier site and do business with a different company or abandon a shopping cart or transaction completely. Therefore, the balance between usability and security has to be considered according to the risk involved with the transaction.
In some cases, the use of MFA is based on other signals that help the system decide when to ask for a second form of authentication – for example, detection that the user’s IP address has traveled impossible distances, thus limiting the number of login attempts and increasing the time after each failure, and bot detection, among others.
Other tools may create a profile of the browser or mobile phone used by the users and ask for additional authentication if the phone changes or screen dimensions change, among other characteristics.
Behavioral biometrics can also be used to create a profile of the user and perform continuous authentication of the user based on their behaviors, not only when they log in:
Figure 1.8 – Top five cyber attacks in 2022
According to a report by HYPR (https://get.hypr.com/state-of-authentication-in-the-finance-industry-2022), cyberattacks persistently targeted financial service institutions in 2022, as evidenced by the fact that 94% of those surveyed experienced some form of attacks within the last year. As shown in the preceding figure, the most common type of attack continues to be phishing, accounting for 36% of incidents. Other frequently occurring attacks included malware, credential stuffing, MFA fatigue attacks, and Man-in-the-Middle (MitM) attacks.
Phishing
Employees frequently fall for emails that promise bonuses, an urgent request from their CEO, or a request from the Information Technology (IT) department. Those emails ask users to click on a website or verify their credentials. Unfortunately, the whole company may be compromised when the employee clicks on the link or enters their credentials where they shouldn’t.
Here are some other related attacks:
- When a hack is done via a phone call, this is known as vishing
- Similar to emails, SMS texts are sent to users in what is known as smishing
- When code to redirect the original browser request to a malicious website – without the knowledge or consent of the user – is installed on a server or personal computer, the attack is called pharming
Credential stuffing
Credential stuffing attacks occur when many username/password combinations are tried against a website. Bots usually perform this type of attack.
Malware
Malware, or malicious software, is a term that describes a malicious program or piece of code that is harmful to the user’s computer.
Malware is normally used in conjunction with phishing to obtain the credentials from a user.
Account Take Over (ATO)
The reuse of credentials causes another typical attack. Most users commonly use the same email or username on many different apps. At the same time, passwords are also reused. If one account is compromised, bad actors can use the same credentials and try to log in to many other sites. Account Take Over (ATO) is usually the outcome of a successful credential stuffing attack.
MFA fatigue – push notification attack
A common way to prevent a credential stuffing attack is by using a second authentication step in addition to a username and password. For example, systems may require users to accept an app push notification or receive a phone call and press a key as a second factor. When an attack issues multiple MFA requests to the end user until the user accepts the authentication, this is called MFA fatigue. It is also known as a push notification attack.
Man-in-the-Middle attack
An MitM attack is a type of session hijacking attack. The attacker eavesdrops and interrupts an existing conversation by inserting themselves into the middle of the transfer.
The attacker pretends to be the other legitimate participant for both the user and the original web application, enabling them to intercept information and data from either side of the conversation. An MitM attack can be used for account takeover purposes or just for the duration of the session:
Figure 1.9 – MitM attack
In Chapter 2, we will discuss different types of authentication factors and what types can be used to prevent different types of attacks.
In addition to knowledge-based authentication factors, other commonly used authentication factors will be described next.
One-time password
A one-time password (OTP) is a mechanism for logging into an application or service using a unique password that can only be used once. OTP can be generated by security tokens or applications such as Google Authenticator or Microsoft Authenticator. SMS-based OTP is not recommended because of its vulnerabilities.
FIDO Alliance
The Fast Identity Online (FIDO) Alliance is an open industry association with a single goal: to create authentication standards to help reduce the world’s reliance on passwords.
FIDO Universal 2nd Factor standard
Yubico and Google developed the FIDO Universal 2nd Factor (FIDO U2F) standard. After FIDO U2F was successfully tested with Google employees, the standard was contributed to the FIDO Alliance.
The WebAuthn specification
WebAuthn is a World Wide Web Consortium (W3C) specification that allows the creation and use of strong, public key-based credentials for authenticating users. It is designed to be a secure and convenient alternative to traditional username and password authentication methods and can be used to authenticate users on websites and other online platforms.
WebAuthn works with the FIDO Client To Authenticator Protocol version 2 (CTAP2) to securely create and retrieve credentials on a security key. The two standards work together. Developers only use the WebAuthn specification; they don’t have to worry about CTAP2. WebAuthn uses public key infrastructure (PKI) to create and manage the public keys that are used for authentication.
One of the main benefits of WebAuthn is that it allows users to authenticate using a variety of different devices, such as security keys, biometric sensors (such as fingerprint scanners or facial recognition cameras), and other types of hardware tokens. This makes it easier for users to authenticate securely and reduces the risk of password-based attacks such as phishing and brute-force attacks.
WebAuthn is supported by most modern web browsers and is becoming increasingly popular as a secure and convenient way to authenticate users on the web.
FIDO2
The FIDO2 specification includes World Wide Web Consortium’s WebAuthn specification and FIDO Alliance’s corresponding CTAP. The specifications are open and free for general use.
Passkeys
Passkeys are replacements for passwords based on FIDO Alliance and W3C standards. Passwords are replaced with strong credentials (cryptographic key pairs). In addition, passkeys are linked with the website or application they were created for, thus being safe from phishing. Passkeys are not a new thing, just a new name for WebAuthn/FIDO2 credentials, enabling a fully passwordless experience for the user. Even though passkeys are on a user’s devices (something they have) and the relying party (the service provider that processes access to the applications) can ask for user verification, which is done by a biometric or PIN (something the user is or knows), some regulatory bodies still do not recognize passkeys as MFA.
This completes our introduction to MFA, authenticator factors, and the types of attacks companies face.