Move away from text- or voice-based multi-factor authentication

Let’s take a look at what good multi-factor authentication is. I am writing a mini-series for CyberAwake about the mistakes users make when choosing a secure password and how hackers can exploit those mistakes, so a quick look at MFA seems like a good idea.

MFA multi-factor authentication diagram

What is multi-factor authentication?

Multi-factor authentication (MFA) is also referred to as dual-factor authentication (DFA) and two factor authentication (2FA). All have the same function to securely provide a one time password (OTP), only to the authorised user, so they can get access to a service. Examples of services that implement MFA for added security are; Microsoft 365, Google, WordPress and Amazon among many, many others.

A pretty sterile explanation. MFA is a barrier between you, the services you depend on and the threat actors, a barrier to which only you will have the key.

Poor multi-factor authentication

Once upon a time MFA was a text message or phone call from your supplier, but these have proved to be flawed and hackers have taken advantage. But do not think this is a hack of the past. Recently Kroll, a financial services company, suffered a sim-swap cyber attack that compromised their multi-factor authentication security and then impacted their clients. (Greig, 2023)

Multi-factor authentication – The Solution

Use a trusted authenticator app on your phone. We recommend either Microsoft’s or Google’s apps and both are available on both iOS and Android – you just need one of them. Set this up each time your service provider offers MFA security and the one-time-password (OTP) will only come to your phone. As an added extra Microsoft’s authenticator app is locked using face recognition on my iPhone – I cannot vouch for Google’s app as I have not tested it.

There are other MFA devices and systems available, but they are beyond the scope of this article – maybe later.

In the real world

As part of any IT and Cyber Security Audit I run, I always challenge the clients to demonstrate the MFA they are using to secure their systems. It is often surprising the results I get.

Do you want to avoid a surprise when a hacker finds out you have poor or non-existent MFA? Then get in contact.

Clive Catton MSc (Cyber Security) – by-line and other articles

References

Greig, J. (2023). T-mobile sim-swapping attack on Kroll employee caused Crypto Platform Data Breach. The Record from Recorded Future News. https://therecord.media/sim-swap-attack-caused-crypto-breach

Further Reading

Passwords – Back to Basics

Back to Basics – The Password Part 2

Multifactor Authentication | MFA | Microsoft Security