Shadow

MFA Security Concerns

Multi-factor authentication (MFA) is now a common security measure for just about all accounts. Logging into your bank account, video game accounts now require MFA. In order to log in, you must present multiple forms of evidence to prove you are who you claim to be.

  • Something you know
  • Something you have
  • Something you are

The better the security typically means a longer or more difficult process. Which for a user causes an inconvenience and can add more costs for the company. (Causing prices to be raised)

If multi-factor authentication requires multiple forms of evidence then how are data breaches and account information still being stolen?

Currently, in the consumer space, two-factor authentication is the most used involving sending SMS or utilizing “Soft tokens”. Security experts have voiced criticism over SMS since a cell phone and/or number can be compromised. High secure industries utilize “Hardware tokens” which are more secure but less convenient.

Soft tokens are more convenient with employees using their phones with an authenticator app, and since they typically always have their phones on them they will always have access. They also provide an increased level of security over SMS or email-based one time passwords.

Hardware tokens are less convenient and require a token to be purchased and shipped to the user but can reduce problems stemming from human error – (“Password on a sticky note”, “Not logging off”, “Unlocked offices”)

The latest report released by Fox-IT shows “Soft tokens” are vulnerable and should not be considered a secure way of 2FA. Soft tokens are installed on mobile devices that can be hacked and the password can be accessed. Additionally, since the mobile device app needs to communicate with a server you’re open to man-in-the-middle attacks.

If a user is using the same device for the soft token and service then both factors of authentication are on the same device, destroying the concept of multi-factor authentication.

While Hardware tokens have a higher level of security and are used by many companies including both private and government, they won’t transition well to the consumer space well.

For example

Accounts you have and need to access like banking applications will have to send each user a token device. Each of these will add to the cost of the businesses. Users that have many accounts will end up with handfuls of tokens with all the accounts now using 2FA.

Leave a Reply