It seems like these days every reputable company uses two-factor authentication (2FA). As most people know by now, that means not only relying on passwords, but also on other ways to confirm a user’s identity before login.
Two-factor authentication is a subset of a broader security concept: multi-factor authentication (MFA). The factors these methods refer to are the different ways of verifying users’ identities to the applications they’re accessing. A factor can be something the user knows (like a password), something the user has (like a phone or a physical token), or something inherent to the user (like their fingerprint).
MFA combines different types of factors to make authentication more secure. While it’s possible an attacker was able to get your password, it’s much less likely that they also stole your phone.
“It increases the work effort needed by an attacker to be successful,” said Roger Grimes, a computer security consultant. “As you increase the variety of factors, it increases the workload for the attacker and makes it less likely for an attacker to be successful.”
Today, there are many different implementations of MFA. Passwords are generally still used as the first factor — the “something you know” part — while the “something you have” factor is usually tied to a phone.
There are advantages and disadvantages to different types of MFA methods and developers preparing to implement MFA need to balance those considerations. How difficult will the MFA process be on the user? How difficult is it for the developer to implement? And is the method really even that secure?
Beware of Single-Factor Authentication
All authentication processes use some form of secrets. (Passwords, after all, are secrets you remember.) One of the most common MFA methods sends six-digit codes to users’ phones. In that case, the secret is the code, which only the user should know because they have access to their phone.
Some forms of authentication marketed as MFA are actually single-factor authentication. For example, products that use biometrics or USB security keys to authenticate users often don’t employ any other form of authentication.
USB security key authentication works by plugging in a USB device that has a unique identification. Combined with a password or another factor, this would be quite secure, but when used by itself, it’s no longer truly a MFA method and suffers from the same security risks — such as theft of the device — as other single-factor methods.
“There’s many other fingerprints that are actually different from your fingerprint that would match.”
Grimes is more concerned when it comes to biometrics — his fingerprints were compromised in 2015 during an apparent state-sponsored hack that exposed the information of 21 million U.S. government employees and job applicants who had applied for security clearance. Passwords can at least be replaced, but that’s not possible when the secret is inherent to people, like with biometrics.
Companies don’t want to frustrate users and potentially lose customers, so they actually make authentication methods less secure in order to make them more user-friendly, Grimes said. Fingerprints, for example, are intentionally weakened to avoid failing the legitimate user too often.
“When you put your fingerprint on a phone, it actually takes the swirls and it turns them into little dots everywhere you have a change in the pattern, so that when it’s stored on a computer system your fingerprint looks more like a star constellation,” Grimes said. “Because of that, there’s many other fingerprints that are actually different from your fingerprint that would match the star constellation.”
SMS-Based MFA Is Easy to Use — but Easily Hackable
One of the most popular MFA techniques is SMS-based MFA, where the user is authenticated by sending a secret code to their phone through text message. Only the user should have access to the phone, so only they should be able to use the code.
But all types of MFA can be hacked, Grimes said, and SMS-based MFA is more prone to hacks than most.
“It can be hacked a ton of different ways,” he said. “It ties your authentication to a phone number and that phone number can be easily moved to any other phone in the world without you knowing about it, at least for a little while. Any MFA method tied to a phone number has the same weakness.”
Attackers don’t need to steal a user’s phone to get hold of the SMS code. Take, for instance, the SIM swap, where the attacker tries to social engineer the telephone company into transferring the victim’s phone account to a new SIM card the attacker owns.
First, the attacker calls the victim’s cellphone provider and pretends to be the victim, saying that they bought a new SIM card — maybe because they’re traveling outside the country or bought a new phone — and they need help transferring their account over. Attackers may have already found the victim’s personal information online to get past any security questions. If they’re able to convince the phone provider to transfer the account, the attacker will immediately begin receiving all phone calls and text messages the victim is supposed to get, including MFA codes.
Twitter’s CEO Jack Dorsey was hit with this very attack in 2019 and the attacker managed to take over his Twitter account for a while.
“It can be hacked a ton of different ways.”
In fact, SMS-based MFA is so prone to hacking that the National Institute of Standards and Technology has recommended it be deprecated as a MFA factor in the future.
Grimes said another method of MFA that sends codes to the user’s email instead of their text messages isn’t better.
“That’s even worse than SMS-based MFA,” he said. “Email is the most hacked and abused and social engineered thing there is out there because you could have phishing attacks.”
But SMS-based MFA is likely still the most widely used form of MFA — and that’s because of how easy it is for end users. Most people can receive a text or a phone call, so the barrier to using that form of MFA is very low. And the risk of getting hacked should be weighed against how easy it is for users to adopt SMS-based MFA, said Kelley Robinson, developer evangelist at Twilio, a company that provides APIs for sending and receiving text messages and calls and that acquired Authy, a time-based one-time password MFA tool, in 2015.
“In almost every scenario, any kind of 2FA is going to be better than no 2FA at all,” Robinson said, arguing that most people are unlikely to be targeted by SIM swap attacks, which take some effort for attackers to carry out. “If you’re Barack Obama, Joe Biden, somebody like that, you’re probably going to have a much different personal security model that isn’t going to be using things like SMS.”
Still, it’s better to avoid MFA methods that have known vulnerabilities if you can, especially when there are much more secure strategies available that are also easier for developers to implement.
TOTP and Push Notifications Are Better
Some existing techniques are less prone to hacking and therefore more secure. That includes methods like time-based one-time passwords (TOTP) and push notifications.
Companies that use TOTP-based MFA have customers download a specialized app to their phones, which generates changing pseudo-random numbers. These changing numbers are synced to ones generated on the company’s server. Only the end user should know the random number on the server at any given time because only they have access to the app on their phone. Popular implementations of TOTP include the Google authenticator app and the Authy app.
This method of authentication is much harder to hack because the attacker must either have access to the physical smartphone or know the “secret” that syncs the user’s app with the company’s server. Attackers are very unlikely to steal that secret because they would have to do it in person and they only have one chance — during initial app setup, when the user receives a QR code from the company to setup the app.
Push notification-based MFA also requires users to download an app. Whenever a company needs to authenticate a user, it sends a push notification to the user’s app confirming they were the one who triggered the authentication.
Patrick McBride, chief marketing officer at passwordless identity management company Beyond Identity, said that these types of app-based authentication methods send secrets over secure communication, unlike in text messaging.
“Every MFA solution is hackable multiple ways.”
“That can be HTTPS, a secure transaction going from the web server of the vendor out to my phone,” McBride said. On the other hand, with SMS “there can be a man-in-the-middle attack, attackers can go listen for those codes at different points.”
The downside of these app-based methods is less convenience for users, who have to install apps onto their phones. It’s limited to users who are willing to install an app just to authenticate — and users might also delete TOTP apps, accidentally locking themselves out of their accounts.
On the bright side, that’s the only real drawback for TOTP-based MFA, which is also easy for developers to implement. Development for push notification-based MFA requires a call to an external service API or companies that have the resources can also incorporate the method into their own apps.
“That’s going to require a little bit of additional dev work,” Robinson said. “[But] if you’re a bank or a dating site or somebody that already has a ton of mobile app users, this is really nice because you can build this authentication right into your applications.”
Push notifications are also not infallible. For example, users might simply tap “yes” to an attacker-initiated notification without reading it too closely or thinking much about it.
“We’re a little bit conditioned to just clear stuff on our phones,” McBride said.
Educate Your Users About How to Use MFA Correctly
Developers ultimately need to balance the need for security with ease of use and the development team’s capacity for implementing MFA features. And companies should make their users aware that all forms of MFA can be compromised.
Grimes said he avoids using the less secure methods like SMS and email for his most important accounts, like accounts that store his financial information. He cautioned developers to avoid MFA products that don’t use open standards of encryption to transmit secrets because those standards are extensively vetted. He recommended more trusted forms of MFA, such as FIDO2, a free MFA standard that requires preregistration of authentication devices with applications, which can prevent attackers from sending victims to fake websites.
“Every MFA solution is hackable multiple ways,” Grimes said. “Anybody saying they’re unhackable, [they’re] just lying to you or naive — and either way, I don’t want to do business with them.”
Attackers often turn to social engineering to get what they want. For instance, attackers can pretend to be your bank sending you a text alert about some suspicious activity and say they’re going to send you a SMS code. Then on their end, the attacker would trigger MFA with your real bank, which sends you the real code and you would be prompted by the attacker to give them the code.
Many people who aren’t MFA experts — or who are just under the pressure of wanting to smooth fraudulent transactions out with their bank — would provide the code to the attacker. The attacker may even make a fake bank landing page that accepts the code to look more legitimate.
Grimes stressed the importance of educating users about the security pitfalls of different types of MFA.
“When you tell someone to use a login name and password, you’re usually also educating them — ‘Don’t use that password anywhere else. Make sure you put some complexity in it. Don’t make it something that’s easily guessable’ — and you’re explaining why that’s the case,” he said. “Whenever you deploy MFA, you should research the types of attacks that are common against that MFA and just tell people to watch out for them.”