SQUARETECH PERTH
Why Your Multi-Factor Authentication Might Not Be Enough
How Multi-Factor Authentication Can Still Be Compromised
Outline:
Multi-Factor Authentication (MFA) is a security mechanism that requires multiple forms of verification to prove a user's identity before granting access to a system, application, or account. The goal of MFA is to add an extra layer of protection beyond just a username and password. Everyone should have multi-factor authentication. It is the bare minimum of security. Without MFA, the rest of your security is irrelevant — especially in Office 365.
In order to protect online accounts, users should do two things. First, they should rely on password managers to generate complicated passwords that they don’t even have to remember. Secondly, they should ensure that the most secure forms of MFA are running on their accounts.
Forms of MFA that are the safest to the least secure
Many that utilize multi-factor authentication resort to the least secure alternatives available, like easily obtained codes that can be obtained through email or SMS. Hackers can easily take advantage of these vulnerabilities in the MFA space.
You can benefit from a variety of MFA methods, but it's crucial to understand that certain MFA methods offer greater security than others. From least secure to most secure, here is my ranking of MFA.
- Biometrics, the safest method
Although most smartphones can capture biometrics, biometric-based MFA is not currently widely used on commercially available devices. Similar to hardware-based keys, this authentication method's physical component makes it more difficult for hackers to tamper with the highly customized login procedure. Biometric MFA will be the most reliable type of MFA if it is integrated with widely used SaaS apps.
- Security keys, commonly referred to as universal second factor
A physical counter to the ethereality of the cloud, where data may be accessed remotely, are hardware-based Yubi-keys and other universal 2nd factor devices. In order to authenticate their attempt to access an application, users insert these "keys" into computers using USB connectors and then tap them with their finger. (The tap's tactility is merely a feature; it doesn't scan for fingerprints.) These hardware keys are regarded as a type of password-less authentication, much to magic links given to email accounts.
Because many users encounter problems with their hardware key, Gmail, for instance, offers alternative authentication options in case users are unable to get the key to function. Hardware keys are only the best choice if the user sets up their account to prevent access to other account recovery alternatives after login.
- Goggle Authenticator/ Microsoft Authenticator
One-time passwords that expire on a regular basis are continuously generated by phone-based programs like Google Authenticator. Whether the user needs these time-based codes or not, they are always rotating across the app.
Nevertheless, authenticator apps are not password-protected. Rather than the user's online identity, the codes issued by the app are linked to the device itself. It is possible for someone to find a cell phone with a weak password (like 1234), use their authenticator app to access online accounts, even though it would be extremely rare for a hacker to obtain their target's phone. This is especially true if they use Google's password manager, which loads credentials without requiring credentials.
- Authentication using phone (code given by SMS or call)
Online account providers employ text messages and phone calls as an additional authentication factor because we always carry cell phones with us. This MFA security mechanism is convenient, but it can be intercepted. Hackers can obstruct this authentication procedure in the simplest way possible by sending the user to a fake login page where they can obtain the phone-based MFA code.
On mobile devices, fake login pages are very successful. Details on the homepage that point to an impersonation are less evident because the screens are smaller than those of laptops. As stated on page 14 of the Verizon Data Breach Investigation Report for this year, "Research indicates that users are much more vulnerable to social attacks when using mobile devices."
Hackers can use your phone against you in other ways as well. After looking through your social media profiles, they might have enough knowledge to persuade a Verizon or AT&T agent to move your phone number or SIM card to their device. "SIM swapping" is the term for this. Hackers would normally only make this kind of effort in the event that the target was a well-known person and there was a significant financial reward. Hackers may also infect a cell phone with malware through another vector, which is a little less likely but still feasible, and then send text message-based authentication codes to the device.
- Email code (very risky)
In email-based multi-factor authentication, the user first enters their username and password on the login page before receiving a 5–10-digit alphanumeric token from the account provider via email. If a user's account has already been compromised and they are unaware of it, this MFA technique does not prevent phishing attempts.
When MFA is ineffective
Another type of perimeter security is multi-factor authentication, however the cloud lacks a boundary. Many believe they are safe from phishing assaults because they have multi-factor authentication (MFA). To be clear, assaults unrelated to logins are not intended to be stopped by MFA. When a person logs in to obtain access, it only protects their online accounts on the perimeter.
In the following situations, MFA security is unable to reduce phishing attempts:
- forged login pages
- Attacks by impersonators
- CEO dishonesty
- BEC Deceptive demands for money transfers or W-2s
- links to malware embedded
Post Categories
Featured Posts
Tue, 03-Oct-2023 03:52
Tue, 03-Oct-2023 05:46
Wed, 11-Oct-2023 04:08
Latest Posts
Mon, 22-Jul-2024 12:46
Tue, 09-Jul-2024 11:13
Wed, 29-May-2024 12:43
Thu, 02-Nov-2023 05:15
Wed, 11-Oct-2023 04:08
Tue, 03-Oct-2023 05:46
Tue, 03-Oct-2023 03:49
Tue, 03-Oct-2023 03:52
Latest Posts
Unleashing the Dark Side of SAAS: Protect Your Business from SAAS Ransomware!
Thu, 02-Nov-2023 05:15
Software as a Service (SaaS) has dramatically revolutionized how firms work in today's digital world by delivering unparalleled flexibility and convenience of company operations. However, this convenience comes with a significant risk: SaaS ransomware. SaaS ransomware has emerged as one ...
Read MoreEmail Security and Attacts
Tue, 03-Oct-2023 03:54
A social engineering phone call lends authenticity to the attacker's malicious email Written by Andrew Brandt In the course of performing a postmortem investigation of an infected computer, Sophos X-Ops discovered that the attack began with an innocent-sounding phone call. ...
Read MoreHow to Secure Tech Tools
Tue, 03-Oct-2023 03:52
Ensuring technology tools are secure is crucial for any business, including small businesses in Perth, Western Australia. Here are several steps they can take to enhance their technology security: Perform Security Assessments: Begin by evaluating your current technology infrastructure to ...
Read MoreProtecting Digital Identities: The Frontline in Cybercrime Prevention
Wed, 29-May-2024 12:43
The latest National Scam Report states that in 2023, Australians will have lost AUD2.74 billion to scammers, with identity emerging as the new front line in cybersecurity. A total of AUD 1.3 billion was lost to investment scams, AUD 256 ...
Read MoreWhy Your Multi-Factor Authentication Might Not Be Enough
Tue, 09-Jul-2024 11:13
How Multi-Factor Authentication Can Still Be Compromised Outline: Multi-Factor Authentication (MFA) is a security mechanism that requires multiple forms of verification to prove a user's identity before granting access to a system, application, or account. The goal of MFA is ...
Read MoreEssential Eight
Tue, 03-Oct-2023 05:46
Introduction: In the ever-evolving landscape of cyber threats, organizations need effective strategies to protect themselves from potential attacks. The Australian Signals Directorate (ASD) has developed a set of prioritized mitigation strategies known as the Strategies to Mitigate Cyber Security Incidents, ...
Read More