What is multi-factor authentication (MFA)

Gone are the days when the good old passwords were considered a sufficient security measure. In the rapidly evolving digital landscape, passwords are no longer enough. Even the best passwords can be cracked by a determined hacker.

This is why multi-factor authentication (MFA) has rapidly gained in popularity over the last few years. As the name suggests, this type of authentication uses two or more steps.

You are required to provide a password, phone number, a code sent via SMS, thumbprint or other forms of authentication in multiple steps. And you are acknowledged as a legitimate user only if you are able to verify all the steps.

By verifying your credentials over multiple steps, MFA serves as a more effective form of authentication. There are many forms of MFA. The most popular among these is the two-factor authentication or 2FA.

Two-factor authentication (2FA)

2FA uses only two steps. In these two steps, you are required to provide different forms of identification and verification such as a password, a one-time passcode, an SMS code, a PIN, or any other information that is specific to you as a user.

2FA is immensely popular because of its simplicity. Many services like Gmail and Facebook use 2FA to verify users. In the first step, you typically provide your regular login credentials that include the email and the password. In the second instance, you are required to provide your phone number. An SMS code is sent to your number and you then enter the SMS code to finally log into the service.

Other than 2FA, many other forms of MFA are also used utilizing a combination of authentication factors. Some of the most common factors used in MFA include:

  • Password: Your regular password is often the first step in MFA.
  • Challenge question: This can be a personal question, such as your favourite teacher’s name, or some other obscure question that only you can typically answer.
  • Physical codes: You are given a code written on a physical object, such as a card or a piece of paper. Inputting the code verifies that you possess the card.
  • Security tokens: This is a more sophisticated form of security. The tokens are generated by a device that is synchronized with the target service.
  • Biometrics: Biometric verification includes thumbprint verification, voice recognition and eyeball scanning. All serve as excellent authentication factors in MFA but they typically require specialized equipment.

How does MFA work

As stated above, multi-factor authentication uses two or more factors for authenticating users. This adds extra layers of security to your account.

MFA typically makes use of the following information: something you know, something you have and something you are.

Examples of something you know include the password, your birth date, a secret code, a one-time password, other personal details or any other information that only you know. 

Something you have can be a smart card, a USB stick, a smartphone or any other piece of hardware that has the tokens required to verify you. 

Something you are can be your thumbprint or voice, something that is completely unique to your being.

A combination of these factors is used in MFA.

Despite such a sophisticated approach, MFA is not entirely safe from hacking. In fact, different MFA factors can still be hacked into and exploited. This is why you might want to consider using other security options in addition to MFA. Here are three ways MFA can be hacked.

3 ways of hacking MFA

Multi-factor authentication is definitely an improvement over the password-only approach. But MFA is still prone to hacks and attacks. A potential hacker can bypass the MFA in a number of ways. Following are some ways of hacking an MFA system.

Man-in-the-Endpoint Attack

You essentially use a computer or a smartphone to log into a service. Even if MFA is enabled for that service, any malicious software already installed on your computer or smartphone can compromise it.

So if you are using a compromised computer to log into a service using MFA, the hacker will be able to intercept all the credentials. By using these credentials in real-time, the hacker can then easily log into the service impersonating as you.

Phishing Attack

One of the most common methods of bypassing MFA is a phishing attack. A hacker convinces you that a fake service lookalike page is the real page. Consequently, you proceed to provide the login credentials and other details. The hacker uses these credentials in real-time to log into the real service page.

When the real service sends a confirmation code to your SMS, you enter it into the fake page. The hacker is then able to use it to finally log into the actual service page.

Brute Force Attack

Most 2FA implementations use a code sent to your smartphone as the second step of verification. This code is typically 4 to 6 characters in length. A flaw in many 2FA implementations is that no limit is placed on the number of times this code can be input.

As a result, a hacker can use brute force by using all combinations of the code to get it right. For a code that is only 4 to 6 characters, the total combinations are less than 200,000. For a hacker, it is fairly easy to use brute force to guess the right combination.

How to defend against MFA attacks

In itself, MFA is prone to a wide range of hacking tactics, some of which are shared above. This is why it is important to complement MFA implementation with other best practices. Following are some effective measures you can implement to improve MFA and protect users as well as network assets from any MFA-related hacks.

MFA Hacking Awareness

Awareness is the first step to prevention. You can enhance awareness of MFA-related hacking by highlighting it in security awareness training. The more people at your organization know about this, the more likely they are to take additional measures.

VPN

A VPN is another excellent tool to prevent man-in-the-middle attacks during MFA. VPNs prevent hackers from listening in on the data you share with an authentication service. However, it is important to use a quality VPN with a solid reputation. In fact, it’s highly advised that you read the full review of different VPN services before choosing one.

Endpoint Security

One endpoint of an MFA authentication is the actual computer or smartphone you are using. The other endpoint is the website or service you are accessing. Both must be secure before MFA authentication begins. Make sure you carefully check the URLs before entering your credentials. Also, monitor and check your devices every once in a while to ensure they don’t host any malware.

Over the past few years, MFA has become increasingly popular. Multi-factor authentication is definitely an improvement over the single-step authentication that uses passwords only. That being said, MFA has its own set of vulnerabilities. And the only way to secure your data is to be constantly vigilant and take additional security measures.