Let's talk about how you 'insecurely' manage credentials (part 2)

Why you should use Multi Factor Authentication and which one is better

Posted by Salvo Bertoncini on July 03, 2022 · 6 mins read

As discussed in the previous post related to basic credentials management, Multi Factor Authentication (MFA) is crucial to securely manage your password. This led to a counscious management of your credentials, and a relatively bit of further secureness in our pockets.

As we also learned, some MFA methods are considered more secure than some others (did you say SMS?). Why you should not rely on these methods? And which is the best?

Let's shine the light on MFA methods.

    Table of Contents

Attacks to SMS

Plenty of attacks were accomplished during the last few years, which main driver was the use of social engineering[1] techniques. As an example, the founder and CEO of Facebook, Mark Zuckerberg, was victim of an attack[2] related to his Twitter and Pinterest passwords. The attack was generally speaking a guessing of the password using information provided by Zuckerberg in his LinkedIn account.

Especially for SMS login, social engineering could be used to approach to your mobile phone. In this article[3] it's explained how Telegram accounts were hacked using SMS protocol "bugs". In fact, not only SMS are easy to be intercepted for your telecom provider, but also devices such as IMSI-catchers[4] can be used for intercepting messages.

Furthermore, another attack based on SIM is SIM swap[5]. In fact, if an attacker gained your personal data (maybe via social engineering), impersonating the victim he's able to port the victim's phone number to the fraudster SIM. The victim will only realize the attack when the connection to the network will be lost - AKA when it's too late.

Considering that SMSs are easy to be "sniffed", if this is not the only MFA methods you could select, why you should rely on it?

Which MFA options do we have and which is better

Authenticator apps

Authenticator apps are for sure a reliable starter solution.

Those apps work using the Time-based One Time Password (TOTP), which is a code generated thru an algorithm and which is not dependent on any kind of connection.

Unfortunately, TOTP are not inviolable. In fact, some phishing website can be developed to steal MFA credentials.

Moreover, if you use MFA apps such as Google Authenticator it might be difficult to recover your TOTP in case you lose your phone. For this reason, some Authenticator (e.g. Authy) uses a password to recover your passwords in case of backup.

Push notification apps

A notable MFA method is for sure Push notification. This method consists of a notification sent to your mobile phone providing you details about the login. The user then could accept (or deny) the login request simply tapping on the phone.

Even if this might be considered an upgrade of the previous MFA methods, 2 disadvantages may arise. First of all, you need a connection to a network to receive the push notification on your phone, which in my opinion means a downgrade compared to the TOTP. Moreover, a malware could be injected in your phone simulating a push notification, which could result in an exploit of your phone.

Lastly, instead of using a single TOTP application, push are different, and strictly depends on the various applications you adopt.

Hardware-based OTP

To use a physical Authenticator device, such as Yubikey, could seem the best option for MFA.

This might be true, but as usual this lead to some considerations.

First of all, you need to buy a piece of hardware, which could be expensive (some advanced models cost more than 100$). Moreover, if you lose your key you could have issues to backup your codes and to restore your "business as usual" activities.

Lastly, you should use a key which is valid for all your devices (e.g., your computer and your phone), which could be clunky.

Which MFA is the best?

Unfortunately, the answer is not so simple. Generally, there are no best MFA solutions, but solutions which best fit for you. Thus, it depends.

A free and reliable solution is for sure the TOTP, preferring apps that let you sync your accounts and have a backup methods

Probably, an hardware-based OTP, for practical and security reason, would be the best option available, if you can build a reliable backup system.

In any case, a common understanding is that you should avoid SMS as a MFA method, wherever possible.

Conclusion

We shed some light on MFA methods available on the market, with pros and cons for each method, and tried to understand which one could best fit for you.

Again, I encourage the use of MFA method combined with a password manager to improve your security posture.

The more you use this combination of notions, the more secure you might feel.

References

  1. [1] Social engineering (security)
  2. [2] Mark Zuckerberg was hacked and his password was embarrassingly simple
  3. [3] On SMS logins: an example from Telegram in Iran
  4. [4] IMSI-catcher
  5. [5] SIM swap scam

Photo by FLY:D on Unsplash.