MFA: Moderately Frustrating Authentication
Is the answer 42? Your authenticator says yes. Multifactor authentication, also known as second-factor authentication or, more briefly, MFA. Security loves it, users hate it, and management wants efficient, happy employees and bulletproof security at the same time.
Before we explore the importance of targeted communication in cybersecurity and cybersecurity awareness, let's take a technical look at multi-factor authentication (MFA). How does it work? Is it truly bulletproof? How can attackers still access accounts even when MFA is enabled?
Multifactor authentication is a technical solution designed to enhance the security of basic logins that use a username or email address and a password to verify your identity. It works by adding a second layer to the login process that is independent of the storage of your initial credentials. This could be a sticky note, your memory, or, in the best case, a password manager. This second layer can take the form of a hardware key (such as a USB stick), random numbers sent to you via email or SMS, or something called a HOTP (HMAC-based one-time password) or a TOTP (time-based one-time password). The latter two are the most common. An authenticator app stores a secret key provided by a web service. To log in to that service, you'll need to enter the number shown in your authenticator app, which is derived from the shared secret key. After 30 seconds, the code will change. This means that even if adversaries know your credentials, they cannot authenticate because they are missing the second factor.
From a technological perspective, this is not rocket science and is quite easy to understand and implement. However, as you might have guessed, it doesn't make online accounts completely secure. There are ways to bypass MFA. The most well-known method is to use advanced phishing techniques. Phishing kits nowadays can perfectly replicate hundreds of legitimate services. You'll receive an email that looks legitimate, click the link and a copy of your bank's website will open. You probably won't check the URL, as everything else looks trustworthy. If you enter your credentials, the phishing kit will redirect them to the legitimate service. If they are correct, the service will present you with an MFA challenge. You will then be asked to enter your code, and the website will redirect it to the legitimate service again. If you have entered everything correctly, you will be redirected to the real page and will be logged in. Everything looks normal, no dodgy errors or weird looking websites anymore. Meanwhile, the phishing kit collects the session cookie and shares it with the attacker. They can then import the cookie into their browser and gain access. Other attacks on MFA include SIM swapping and fatigue attacks. In SIM swapping, the attacker replicates your SIM and authenticates with a web service using harvested credentials. If you receive an SMS with the MFA code, the attacker will receive it too, log in and hijack your account. In fatigue attacks, attackers rely on apps where you simply accept the login request (LinkedIn does this, for example). They send lots of login requests until you accidentally accept one. Again, your account has been hijacked by just one wrong click.
Aside from the methods of circumventing MFA, there is another problem. User acceptance. If employees or private individuals do not understand why MFA is important and are simply forced to use it, they will find ways to circumvent the need for a second device, such as a smartphone, by storing the 2FA secret in their password manager so that they only have to copy it from there. While this may sound convenient, it can pose a security risk. If your device is compromised and attackers steal the master password for your key vault, they can log in to your account even if you have MFA enabled. This is why MFA apps are so important. They are a second device. Even if your credentials have been stolen or your laptop compromised, attackers won't be able to get the MFA challenge right unless they also hack your phone. Even more secure MFA options exist, such as hardware tokens that store a cryptographic key on a USB-like device. Adversaries would have to steal the device physically to access your account, which would be quite difficult.
We included already it in our first Luna(r) brief. Everything is an asset, even though it sounds a bit strange to call human beings assets. Every asset can either benefit or threaten the security of your organisation. It's relatively easy to keep machines secure. However, when it comes to human beings, psychology plays a significant role. You can't enforce security from above; it won't be accepted. You need role models who embody security, even if they don't work in that field. You need very good, transparent communication that everyone can understand and access. Explain to your employees why it is necessary to enforce MFA and other user-unfriendly security features. Teach them how to use them. Explain what could go wrong if the feature were not active or if it were circumvented. Make it real and tangible. Show them what happens if an account gets hacked using harvested credentials. Show them what happens to their device and explain that they will be slowed down at work. Be transparent and explain that MFA is not bulletproof. Show them how attackers can bypass these security measures. Teach them how to spot phishing and how to report security issues. Provide them with contacts to discuss security concerns, such as unusual calls or text messages. And don't just stick to the business context. Security outside of the corporate world is equally important. Take banking, insurance and cloud storage with PII, for example. All of these can be secured, and improving security in people's private lives can also benefit corporate cybersecurity, as acceptance of security features will increase.
While 42 may be the answer to life, the key to user acceptance in cybersecurity is transparent and honest communication that is targeted at the right people.