How secure are your logins to your bank, credit cards, email, online stores, social media, password safe, or accounts you use for work? Do you use authentication apps like Duo, Google Auth, or Authy? How many different factors do you use today to get access to your devices and services? Once you’ve thought about your answers to these questions, let’s see if I can introduce any new ideas to you.
You may think you have a strong password, but check out this article from Newsweek with a chart of how long it takes for a hacker to crack your password: https://www.newsweek.com/read-this-chart-find-out-how-fast-someone-can-hack-all-your-accounts-1528937 The main piece of that chart that sticks out to me is that a complex, 8-character password can be cracked in 8 hours. If the only thing standing between a hacker and one of your accounts listed above is 8 hours, do you think taking a few extra seconds of your time when you login might be worth the extra protection? I do!
Quick caveat: I’m using the term multi-factor authentication as a general term. I know the term 2FA (Two-factor authentication) is technically correct when you’re using 2 forms of authentication and MFA is used when you’re utilizing more than two. I hope you’ll forgive my referring to anything more than a single factor as MFA for the purposes of this blog.
Many of the sites you may log into may already force another factor of authentication beyond just a username and password. More still have it as an option. So, what is multi-factor authentication? Multi-factor Authentication is kind of like having a locking doorknob and a deadbolt, and one of those sliding chain locks as well. Bear with me on my analogy here. The more locks you add, the harder it is for someone to get in. Your username & password is like the locking knob (a long, complex password is like remembering to lock it). It keeps out most people, but someone that knows how to use a lockpick (brute force attack), a credit card (dictionary attack), or maybe has researched the doorknob manufacturer and knows about a mechanical weakness (found your password on the dark web) will be able to get the door open. If you have a deadbolt that uses a separate key (MFA) on top of that, now you’ve made it more difficult, and some unscrupulous individual would have to REALLY want to put the time and effort in to get past both locks. If you have a chain lock on the inside as well (asking for your mother’s maiden name), now you’ve added yet another hurdle. That’s not to say someone still couldn’t get in if they were really determined, but you’ve added 3 obstacles which is hopefully enough to deter all but the most dogged criminals.
The “door” to your data using various multi-factor authentication is not foolproof or guaranteed to keep your accounts safe, but by focusing on a layered security approach, multi-factor authentication can be a wonderful tool in your security arsenal. I’d like to share some information with you on the various forms of MFA and some ways that they’re hacked to hopefully give you a little extra knowledge before your next account login.
What are the different factors in MFA (Multi-Factor Authentication)
- Something we know (like a password, pin, or our Mom’s maiden name)
- Something we have (like a USB token or the auth app on our phone)
- Something we are (like a fingerprint or face recognition)
Some of the most common forms of MFA that I come across are:
- An SMS message with a one-time code to the mobile number you entered when you setup your account (already ready to go with your mobile device)
- Authenticator apps on your smart phone that use a local algorithm that changes a code every so often (both free & paid options are available)
- A physical device separate from your phone that does the same thing (typically more expensive and used by corporations)
- Authenticator apps on your phone that provide a better user experience by offering a “push” authentication request that you have to accept through the app (no number typing required)
Let me give you an example of a single authentication I do nearly daily. To login to my laptop, I use facial recognition (something I am), then I login to my Office 365 account with my name & password (something I know), then I’m prompted with an MFA challenge to the authentication app on my phone (something I have), but in order to accept it, I need to unlock my phone with my fingerprint (something I am). So, for this single login I’ve used 4 factors of authentication.
What are some hacks that are in use today that could potentially get around MFA?
- SIM card cloning or swapping – someone would need to get a hold of your physical SIM card out of your phone to clone it, which hopefully you can prevent by keeping track of it. For a SIM swap, someone may be able to pretend they’re you & talk your phone provider into sending a replacement SIM to them with your number on it. Usually for it to activate, you’d need to turn your phone off, and then your phone calls and text messages will no longer come to your phone, so you should know about it pretty quickly. It’s worth noting that these SIM hacks allow the hacker to intercept SMS messages, not your authentication apps.
- Phone backup/sync account access – if you backup your phone (including text messages) to a cloud account & that account is compromised, someone could potentially get access to your text messages. This too, puts your SMS auth messages at risk, not your authentication apps.
- Phishing - There are a few methods used by phishing (sending an email with a link for you to click on) to get around your MFA. The one I’ve heard about most is a method that takes you to your login site and lets you authenticate like normal with your name, password, and MFA code, but because the link you clicked allows the hacker to pass all information between you and the site you’re connected to, they now have access to the token that your login site gave you that proves you’ve authenticated. Now they can access that site and use that token as proof that they’re you. As you can imagine, this works with any of the MFA methods, so I can’t recommend highly enough to get as educated as possible about what to look for to prevent falling for a phishing attack. (Check out my blog on the Colonial Pipeline [https://www.lookingpoint.com/blog/colonial-pipeline-what-did-we-learn] for more info about phishing and some other security recommendations)
Security is a deep rabbit hole with many paths, here are some recommendations, but please know there are many more that are merely an internet search away:
- Long, complex passwords that are not reused anywhere else: As your first line of defense, try to use a long password (over 12 characters long) with different character types (numbers, lower-case letters, upper-case letters, and symbols). The length & complexity will make it a lot harder to crack. Don’t reuse the password in case one of the places you use it gets hacked and your password is discovered. You can test your password and get more info on password security at https://www.security.org/how-secure-is-my-password
- Use an authentication app instead of a text message where possible
- If you have an authentication app that you like, see if you can register it in place of other common ones. I’ve found that many providers that offer a QR code for MFA registration can be used interchangeably in Google Auth, Microsoft, or Authy. Once you register to one app, it can be a little work to try and change later.
- Keep in mind that when you change phones, you may have to set up your authentication apps again. Don’t give that old phone away until you’ve made sure you’re all set up!
- If you are using a smart phone or tablet as a form of MFA, make sure it has some kind of lock on it, whether it’s a pin code, fingerprint, or face recognition – that’s another factor!
Long ago, I was told to think about security as a balance between usability and safety. The easier it is to access your data, typically, the less safe it is, and vice versa. Ultimately, we all must find and maintain a balance that allows ourselves to do what we need to do but take reasonable precautions that make it difficult for someone else to access it. I think MFA gives you a great security “bang for your buck”, so next time you login to an account that only uses a password, maybe take a minute to check your account settings to see if they have MFA as an option that you can enable.
It just so happens that LookingPoint offers multiple security services if you’re interested. Want more information, give us a call! Please reach out to us at firstname.lastname@example.org and we’ll be happy to help!
Ryan Alibrando, Managed Services Team Lead