We all know the importance of enabling two-factor or multi-factor authentication (MFA) to secure our personal and business identities. But not all MFA verification options are created equal. When deciding on a verification strategy, be sure to weigh all the options.
SMS-based authentication isn’t as secure as you might think
Imagine being Jered Kenna, an early miner and collector of the popular cryptocurrency, bitcoin. So early in fact, that he can recall the days when he would connect to the network and there would only be four other computers connected. Kenna eventually amassed millions of dollars’ worth of bitcoin. But, he eventually lost it all to hacker thieves who had managed to steal and port his mobile number and assume control of his email and bank accounts. It took the hackers just seven minutes to lock him out of 30 different accounts, including two banks, PayPal, two bitcoin services, and his Windows account.
Late last year, researchers at Positive Technologies demonstrated how they were able to infiltrate and completely take over a Gmail account that was protected by SMS-based MFA that was linked to a Coinbase wallet, and in turn completely take over the wallet. This demonstration once again showed the inherit vulnerabilities of the telecom networks, specifically the underlying SS7 network that is shared by all telecom providers to manage calls and SMS text messages among providers.
Recent hack of Reddit.com
While cryptocurrency vaults remain a desirable target of hackers intent on pilfering the fortunes of those who have invested millions of dollars’ worth of the commodity, other services have been hacked because of the weakness of SMS-based MFA. One recent example is the hack of the popular social media network, Reddit, which announced recently that several employee accounts were compromised – even though they were “protected” with multi-factor authentication. The problem was that the text messages were intercepted, and the hacker gained access to their accounts, and subsequently to the source code for the site.
The bottom line is that mobile phone numbers are not a secure form of identification. Telco providers simply do not have the wherewithal, the resources, or the ability to completely secure your phone number and SIM cards. Telco customer service representatives are susceptible to social engineering, making it possible for persistent hackers to acquire your information by posing as you.
Instead of SMS-based MFA…
…Ensure that your users only have access the most secure multi-factor authentication options. Phone call and SMS text messaging should both be removed as options in favor of app-based MFA.
With app-based MFA, sometimes referred to as time-based, one-time passcode MFA, the telco is essentially cut out of the MFA process, thus eliminating the vulnerability. To implement app-based MFA, you download an app to your mobile device and configure it with the service you are trying to protect. The entire process takes less than two minutes to complete. Several apps are available that can be used across multiple services – including from Microsoft, Google, Duo, and Authy.
If you use Azure AD with MFA enabled, be sure to:
- Disable phone call and SMS-text and authentication options.
- Encourage users to download and use the Microsoft Authenticator app which allows for push notifications. This eliminates the need to enter a code on the same page that the user’s password was entered on, making it less vulnerable to phishing, man-in-the-middle, and credential replay attacks. (Microsoft also supports the use of just about any other authenticator app.)
- Consider utilizing hardware-based USB security keys as the second factor for authentication. These are especially useful in scenarios where employees do not want to use their own personal devices for authentication to corporate accounts.
When deciding on an MFA strategy for your enterprise, or even for your own personal accounts, be sure to choose your verification options wisely. In this ongoing “arms race” against threat actors intent on stealing your identity and the assets it protects, it’s vital to stay one step ahead.
Need more advice about multi-factor and two-factor authentication? Check out this webinar on MFA authentication options, or contact us.
Frank Urena is a Principal Architect with Oxford Computer Group, specializing in identity and access management and security solutions. You can follow him on Twitter @furena.