Tom explains multi-factor authentication and why it may be the future of online security.
Featuring Tom Merritt.
Please SUBSCRIBE HERE.
A special thanks to all our supporters–without you, none of this would be possible.
Thanks to Kevin MacLeod of Incompetech.com for the theme music.
Thanks to Garrett Weinzierl for the logo!
Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit
Send us email to [email protected]
Episode Script
This website wants me to sign up for text messages to log in but I heard that’s not secure?
But then everybody is telling me I should use 2FA?
Except for that one person who’s always telling me it’s MFA? Do I need an arts degree?
Are you confused?
Don’t be.
Let’s help you Know a Little more about Multi Factor Authentication
Multi-factor authentication or MFA is the idea that if you have to use more than one thing to log in to something, it will be harder for the bad folks to gain access to your login credentials.
You may be more familiar with the phrase two factor authentication. That is one of the most common forms of multi factor authentication. To successfully prove that you are you you– you have to have two things, say– something you know, like your password, and something you have, like a special USB key. The most common two-factor authentication is an ATM. You combine something you have, your ATM card with something you know, your PIN, to get access to something you want, your money.
In whatever case, MFA means that if someone has your password — or PIN–, your login is still protected because they don’t have the USB key or your ATM card. They need both and that’s harder to get. Not impossible but harder. And security is all about making things harder to breach.
There are four common factors that can be used in multi-factor authentication
Knowledge – something you know – like a password, a PIN or an answer to a security question
Possession – something you have, like a USB key, smart card, access badge or an app or text message that delivers one-time passwords (more on that later)
Inherence – which is a fancy way of saying something you are, like your face, retina, voice, iris or fingerprint. Behavioral analysis can also be used here, like your pattern of typing for instance.
And 4. Location- which could be GPS coordinates or connection to a specific computer network.
Now MFA systems don’t have to use all 4. Location for instance isn’t a factor that’s useful in all situations. But they use at least two or three.
Multi-factor authentication has come about because passwords are notoriously bad at protecting security. If you make a really long secure password, it may be hard to guess but it’s also hard to remember and to use. That’s why password managers are often recommended. They create a single point of failure, but that’s still more secure than using easily memorable — and therefore easily guessable– passwords or worse using the same password everywhere so that if it’s leaked in one place all your accounts are compromised.
Now you may reasonably ask, “Well why use a password at all? Why not just use the USB key?”
One answer is that not everything is accessible to a USB key. A more common second factor is a time-generated code or one-time password. Google Authenticator, Authy and other apps, or even battery-powered keychain dongles, can provide a code that changes every 30 seconds or so on a replicable mathematical principle that can be easy to sync up but really hard for an attacker to guess. This isn’t exactly something you know because even you can’t predict it easily, you have to have the app or dongle, so it counts as separate factor from your regular unchanging password.
But again, why not just use that code then? To be honest you could. If everybody used those authenticator apps you might see that. But it’s still not as secure as a second factor. If someone gets access to your phone with the Authy app on it for example they could then log in to all your accounts. So having a second factor– even just a PIN– makes it harder to get in because you have to breach two things.
And think about this. Having two factors, neither of which are a password is even more secure. Say, a fingerprint and an Authy code.
And if you want to be really secure, you can have more than two.
It’s understandable to let your mind drift toward wondering why everybody just doesn’t use the most secure system possible. But what system is that? Three factors? Four? How about seven factors? At a certain point you lose compliance because people don’t want to go through the trouble of using a dozen factors to log into something, even really sensitive stuff.
And when you’re talking about a Twitter account it’s hard enough to get people to use two factors.
So you not only need multiple factors but they need to be fairly easy for the user to use or the user will just end up finding a way to be insecure or possibly stop using the product.
That’s why text messages are often used as a second factor. A one-time text message code and a password is about the least secure MFA out there. That’s because the delivery of text messages are not robustly secured. We don’t have time to go into all the ways someone can get hold of your phone number and redirect text messages to themselves– sometimes without you even knowing– sometimes by tricking you into giving them the SMS code in a phishing attack. It takes some effort, so it doesn’t happen on a mass scale, but it can done and is. But most people have text messaging and it’s easy, so it has become the most widespread MFA.
And don’t forget we’re fallible humans. So we need backups systems. If you lose your USB key you might lose access to your account. So systems often provide backups. One fairly secure backup is a printout of pre-approved codes as a second factor -something you have. But you might misplace those too you know, forget where you put them. That’s why most often companies use text messaging as the backup. If you lose your USB key you can use text messaging as a backup. But remember, you’re only as secure as the weakest method in your security. So if you are using a hardware key for a second factor but ALSO have text messaging turned on as a backup method, you might as well not use the hardware key. The attackers will go after the text message factor if they go after you at all.
The other reason we don’t see MFA more often or see less secure version is cost.
While hardware-based keys are very secure they’re proprietary and you have to pay to use them on your system, sometimes annually. There are also support costs associated with handling cases where people lose their access because they lost a factor or are just confused how to make the whole work.
But there is hope as we talked about in our episode on FIDO. MFA can be collapsed into ways that are easy and secure. Face ID on a Phone for instance is technically two factors. Something you have, the phone, and something you are, the face.
And there’s something called Adaptive Authentication. It uses machine learning to estimate how likely a login attempt is to be valid. It looks at location, time, device and network among other data to estimate risk and adapt the security accordingly. The idea is that if you always login at the same time on the same network from the same computer at the same location, your login will speed along, because it’s not unusual. But if your account is being accessed from a different country than you are usually in, on a device the system has never seen from an IP address it doesn’t recognize in the middle of the night, the security barrier goes way up.
You can start to see how MFA can someday be used to make it very easy to log in securely to your accounts, and therefore every site will use it.
Until then turn on MFA on every account you can, and use the most secure version you can.
This won’t protect you from every possible threat but at least you’ll know you’re a little more secure than you were before.
In other words…I hope now you know a little more about MFA