Let’s take a look at what good multi-factor authentication is. I am writing a mini-series for CyberAwake about the mistakes users make when choosing a secure password and how hackers can exploit those mistakes, so a quick look at MFA seems like a good idea.
What is multi-factor authentication?
Multi-factor authentication (MFA) is also referred to as dual-factor authentication (DFA) and two factor authentication (2FA). All have the same function to securely provide a one time password (OTP), only to the authorised user, so they can get access to a service. Examples of services that implement MFA for added security are; Microsoft 365, Google, WordPress and Amazon among many, many others.
A pretty sterile explanation. MFA is a barrier between you, the services you depend on and the threat actors, a barrier to which only you will have the key.
Poor multi-factor authentication
Once upon a time MFA was a text message or phone call from your supplier, but these have proved to be flawed and hackers have taken advantage. But do not think this is a hack of the past. Recently Kroll, a financial services company, suffered a sim-swap cyber attack that compromised their multi-factor authentication security and then impacted their clients. (Greig, 2023)
Multi-factor authentication – The Solution
Use a trusted authenticator app on your phone. We recommend either Microsoft’s or Google’s apps and both are available on both iOS and Android – you just need one of them. Set this up each time your service provider offers MFA security and the one-time-password (OTP) will only come to your phone. As an added extra Microsoft’s authenticator app is locked using face recognition on my iPhone – I cannot vouch for Google’s app as I have not tested it.
There are other MFA devices and systems available, but they are beyond the scope of this article – maybe later.
In the real world
As part of any IT and Cyber Security Audit I run, I always challenge the clients to demonstrate the MFA they are using to secure their systems. It is often surprising the results I get.
Do you want to avoid a surprise when a hacker finds out you have poor or non-existent MFA? Then get in contact.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Greig, J. (2023). T-mobile sim-swapping attack on Kroll employee caused Crypto Platform Data Breach. The Record from Recorded Future News. https://therecord.media/sim-swap-attack-caused-crypto-breach