researchHQ’s Key Takeaways:
- The standard username and password combination is an insufficient means of authentication for verifying user identities
- By asking for one additional piece of identifying information, multi-factor authentication (MFA) provides a secure and easy alternative
- One-time passwords are one of the most popular modes of multi-factor authentication, however, they often come at the cost of a smooth user experience
- Step-up authentication balances user experience and security by adapting authentication requirements depending on the sensitivity of the data being accessed
Before you can learn about multi-factor authentication, you must understand authentication itself. Authentication, simply put, is the process of verifying that someone is who they say they are.
When you want to sign in to your account on a website, the website must first make sure you’re the owner of that account. How do they do that? They ask you for something that only you should know. Typically, this is the username and password that you set up when you created the account. Great! You were the one who set it up, so there’s no way anyone else could have your password, right?
It turns out that someone providing the correct username and password to access a resource doesn’t necessarily prove that they are who they say they are. User credential breaches have become much more prevalent in recent years, so there’s a good chance that some of your username and password combinations have been involved in a breach. This means that relying only on a username and password to identify someone isn’t a great practice.
This is where multi-factor authentication comes into play.
What is Multi-factor Authentication
Multi-factor authentication (MFA) provides a method to verify a user’s identity by requiring them to provide more than one piece of identifying information.
You have most likely encountered multi-factor authentication on some of your favorite websites already. For example, when you sign in to your banking account, you may get a screen requesting that you enter the code that was emailed to you. Once you enter this code, you’re then able to access your bank account. This is an example of MFA in action!
Providing a username and password coupled with a code sent to your email is one form of MFA, but there are several other options you have for implementing MFA. Let’s look at some of those now.
Types of Multi-factor Authentication
The category that you use to identify a user is called an authentication factor. In general, these identification methods fall into three authentication factor categories:
Something you know — Something you know, such as a password, PIN, personal information like mother’s maiden name, etc.
Something you have — A physical item you have, such as a cell phone or a card.
Something you are — Biometric data, such as fingerprint, retina scan, etc.
To implement multi-factor authentication, you need to cover at least two of these categories.
A common scenario would be requiring a user to sign in with their username and password. This covers the “something you know” category. After providing their username and password, they’d receive a text to their cell phone with a short code called a one-time password (OTP). This covers the “something you have” category. They’ll be required to type this code into the website, and if correct, then they’ll be authenticated.
In this scenario, even if an attacker knows the user’s password, it isn’t enough. They’ll have to also gain access to the user’s phone to provide the one-time password.
One-time passwords
In the scenario above, the application sent the user a code known as a one-time password (OTP). This is one of the most commonly used forms of multi-factor authentication. Let’s take a closer look at what one-time passwords are.
A one-time password, like its name indicates, is a pseudo-randomly generated password that expires after a short time period and is only valid for one login. They are typically paired with a traditional username and password to make the authentication process more secure. Even if a user has a weak or reused password, the one-time password that is sent to them is a way to indirectly strengthen their credentials.
There are a few different ways to send one-time passwords to users.
SMS
SMS is one of the most user-friendly ways to send one-time passwords. The user signs in to your application with their username and password, and then they receive a text message to their cell phone with their OTP. They’re able to easily copy the code from the text message and send it back to the application.
While this may be simple for the user, and it’s better than not having MFA at all, it’s still not the best way to send or receive one-time passwords.
Believe it or not, delivering an OTP through SMS carries the risk of compromise. Here are some of the ways that an attacker can gain access to your OTP through SMS:
- Social Engineering— An attacker that has breached a user’s username and password may also have access to their phone number. Attackers have been known to obtain SMS-delivered one-time passwords by sending a text to the user telling them that they used to have the same phone number as them, and they are locked out of one of their accounts because they forgot to update the phone number listed on the account. They politely ask for the code that was just sent to the user’s cell phone, so they can get back into their account. Many people want to help the person on the other end, so they text them the code without thinking much of it.
- SIM Swap— SIM swapping (also known as simjacking) is when an attacker gains access to your cell phone number. One interesting (and terrifying) way this can happen is by an attacker calling your cell phone provider and convincing them that they lost their phone and need a new SIM card activated. The SIM card that gets activated is one that the attacker owns. If the cell phone provider obliges, then the attacker now has access to any text messages, phone calls, etc. that come through. So, if they already have your username and password, all they have to do is type in the OTP that is texted to your phone number (which they now have access to), and they’re in! This Hacking Challenge at Defcon video has an excellent demonstration of this in action.
Another option for receiving OTPs is through email. While this does provide another step to access your account, which is great, it still has some downfalls:
- Because password reuse is so prevalent, there’s a chance that a user’s email password is the same as the account that’s requesting the OTP. Assuming the attacker already has this password, then the extra step of the OTP is useless.
- One of the requirements for MFA is that the implemented factors come from at least two of the MFA categories: something you know, something you have, and something you are. The username and password fulfill something you know, and OTP is meant to fulfill something you have. Ideally, something you have would be a physical item, such as your cell phone. Having access to an email account doesn’t necessarily mean that the cell phone is in your possession, as you could access your email from any device.
Authenticator apps
Another common way to manage OTPs is with authenticator apps. Once you install the app up on your cell phone, you can set up any accounts that work with the authenticator app to send your one-time passwords to that app. The OTPs will typically regenerate every 30 seconds, so instead of waiting for an email or a text message, you simply open up the app, and you’ll always find a valid OTP there.
