Sean Wright


Personal blog of app security guy, blogging about application security related topics, focused primarily on web based applications.

Sean Wright

MFA - The Why?

25th August 2019

So let me start with stating, you should enabled Multi-Factor Authentication, also known MFA where ever possible. This is also referred to as 2FA (2 Factor Authentication) as well (since 2FA is a form of MFA). While it's all great saying you should enabled it for greater security, why should you though?

While I'm not going to cover what MFA actually is, that's a topic for another post, I will attempt to explain the reasoning behind using it. As well as explain how it actually helps to strengthen security.

Authentication

Taking a step back, I think it is vital to explain what authentication actually is. Authentication is the process of identifying one's self to the system which they intend to use. Take for example an online bank account. I'm sure that most (other than perhaps the bad guys) would agree that it is vital to ensure that the person on the end accessing the account is in fact the person who owns that account, or at least has privileges to use that account (think a shared bank account). Well authentication comes into play when the user attempts to access the account, they need to prove their identity (authentication) and the system will determine if that user with the provided identity has permission to access the account (authorization). So it is vital that the process to prove one's identity is secure. Otherwise we will have a case of someone else being able to access the bank account for which they do not have permission to do so. In fact this very topic has come up in, potentially, the very first case of a cyber crime being committed in space!

MFA

As I said, I won't attempt to explain what MFA is in this post. Wikipedia does a good job attempting to explain what it is. But at a high level, it's the process of authentication that involves several methods (factors) of proving one's identity. So a common method of authentication today is password based authentication. MFA would then combine some other method, say a one time pin (OTP) that a mobile application generates on your mobile phone (and only on your mobile phone), along with the password method to become the process of authenticating to the system.

Why MFA?

So to get to the heart of this post. Well MFA attempts to do several things to help strengthen security:

  1. Increase the confidence that a system would have that the user attempting to authenticate is actually who they say they are. The more things I ask for a user to prove, then more likely it is to be that user.
  2. Increase the complexity an attacker would have to overcome if any vulnerability exists in an authentication method. If they get past the first hurdle, and then face another obstacle. And let me let you on in a little security secret. Often security is not about completely protecting a system (while we should, it's not possible), it's about frustrating the efforts of the bad guys that they just end up giving up.

Password Authentication Weaknesses

Password authentication is by far the most popular form of authentication to date. Passwords are a pain! Trying to remember a different password, for different sites is not easy, so as result this has resulted in some bad practices in terms of how users use to set their passwords:

  1. Password re-use. Many users use the same password across different accounts. This problem is likely to only get worse as we have more and more online accounts. So if a bad guy manages to get a user's password (say guesses it, or gets it from a data breach), and they have used the same password on different accounts, the attacker will attempt to use this on different systems to attempt to gain access to your accounts on those systems. This is referred to credential stuffing.
  2. Weak (short) or easy to guess passwords.  It's much easier to type less characters into a keyboard each time you want to access you account right? Well this kind of feeds into the first point, weaker passwords make it easier for the bud guys to obtain the password.
  3. Breaches. So you do everything correctly and set a unique lengthy password. But then a breach happens and you password is leaked, worse yet the attack is able to crack you password (most likely from not storing your password securely).
  4. Key Logging. The bad guy installs malware on your system that tracks every key you pressed. That way the attacker would be able to get your password. Granted, if this is in place you might have other things to worry about more.
  5. Phishing. This is another common method bad guys use. They setup a fake site which mimics the original site and then you enter in your password into this site. Since they control this site, they are able to get your password.

As a side note, you should look to use a password manager for managing and storing your passwords. It has many advantages, and overall will make things more secure. John Opdenakkar has further details on this on his site.

Other Weaknesses

In terms of the other authentication methods, some also have their own weaknesses as well. Take for example Text/SMS one time codes. There have been past cases where the bad guys have been able to perform a sim swapping attacker (basically they get their victim's phone number and hence all calls and texts/SMS's) and obtain these one time codes. Or there could be a vulnerability either in the configuration, or implementation. The point is that nothing is 100% secure.

The Need for MFA

So in conclusion, there are several flaws with some of the authentication methods used today. Especially regarding passwords. So it should be apparent that passwords alone is often not enough to protect your account. By adding another layer of authentication to your accounts, you help strengthen the security of the account, by placing more on the system to validate the user is in fact yourself and not just some bad guy who obtained your password by some means, or exploited some unknown vulnerability in the system.

View Comments