“Imma throw shade if I can’t get paid”: multi-factor authentication is all too easy

Recently, at my organisation, the business has implemented a form of multi-factor authentication (MFA) as a means of providing additional security for the company’s physical and digital property. Due to the sensitive data inflow, organisations must work to keep their networks secure, and resources protected (Cisco, n.d.). This is accomplished through authentication a form of access control. Authentication is defined as “the process of determining whether someone or something is, in fact, who or what it declares itself to be” (Rosencrance, n.d.).

At the most basic level, authentication could be an individual providing a password. This will be matched against the system along with a corresponding user ID. Alternatively, MFA is a security system that requires more than one method of authentication (Network Direction, 2020). Two or more independent credentials are provided which may fall into the categories of; what the user knows (a password), what the user has (a security fob) and what the user is (biometric verification such as a fingerprint scan) (Cisco, n.d.). The purpose of this is to provide a layered defence, therefore increasing the difficulty of accessing a system, database, or network. If one layer is compromised, the attacker must penetrate the remaining layers before being successful (Mohamed, 2014). For example, at the ATM a user must have a bank card and their pin.Similarly, my organisation has implemented MFA for all employees upon accessing work laptops. Employees must undergo a two-step authentication before successfully logging on. This is necessary as work laptops hold protected information vital to the running of a company. 

Additional security factors alongside what the user knows & what the user has but often overlooked include where the user is, so allowing access based on an IP location or what the user does. This is behavioural and is unique to a user such as a signature (Network Direction, 2020).

Record scratch, now why is all of that kinda bogus...

One cybersecurity issue that affects the above example is the false security provided by this process. Although defence is layered in MFA, one of the most common factors include passwords that can easily be infiltrated. Passwords are inherently weak as research shows “61% of people reuse the same or similar password everywhere and 92% of organisations have credentials for sale on the Dark Web” (Blanton, 2021). For credentials that are not readily available online, hackers can make an attempt through the method of brute-force (Cisco, n.d.). Additionally, users often neglect to implement diverse and unique passwords (Foltýn, 2018). Ideally, to mitigate the risk, users should use a security tool to generate passwords. Passwords are often uncomplicated because users believe they will not be able to recall them, but a password manager is useful in creating and remembering strong passwords.

Additionally, with the popularity of phishing, attackers are now easily bypassing MFA. A user could be redirected to a phishing site where they input their credentials, upon receiving the MFA verification code. Once the code is entered, the attacker can take those details and input them on the legitimate website (Watkins, 2019). This is aided by modlishka, a popular phishing tool (TIP, 2019). However, this can be mitigated through the use of spam filters and web filters. These can help prevent individuals from accidentally accessing phishing sites (TIP, 2019).

Lastly, factors can easily be lost or damaged. For example, many use phones or security cards. These can be easily misplaced and end up in the wrong hands. This can be mitigated through security and awareness training for employees which may include directives advising colleagues not to openly display security cards outside of work. Furthermore, when items are lost or stolen the security team should be contacted to disable these items.

In conclusion, even with good password hygiene, companies are still at risk from internet breaches which will ultimately render passwords useless. Conversely, even when phishing sites are intercepted, MFA codes tend to be a simple 4 or 6-digit number making them ‘crackable’. Watkins (2019) perfectly captures the issue at hand stating that “adding more layers of authentication simply means that, as an industry, we have failed to build a path to building a better digital identity”. Cybersecurity analysts must uncover the pattern of hackers leading up to accessing systems. If we can identify attackers and their patterns, we can make authentication redundant (Watkins, 2019). DataVisor (n.d.) looks to the future of Zero-Factor Authentication, declaring “the solution is to stop [attackers] before they ever get to the authentication stage.”