What is Multi Factor Authentication?
NIST defines multi-factor authentication as two or more of something you know, something you have, and something you are. [ 1 ]
Multi-Factor Authentication is not a new method of security, however despite ease of implementation, low cost, and offering a huge step up in security from traditional password authentication, it is still only used by a quarter of Americans. [ 2 ] In fact, many large scale data-breaches can be traced down a lack of multi-factor authentication. Take for example the Democratic National Convention Email hack. [ 3 ] Even simple 2FA could have prevented many recent high-profile data breaches.
However, not all forms of multi-factor authentication are created equal. Systems like RSA SecurID that provide use physical security key or a generated login token are stronger than SMS based text message MFA. Although, Wardrop was quick mention that SMS MFA is much better than nothing.
SMS based MFA is weak and vulnerable. One method of vulnerability is noted by security researcher and forensic expert Jonathan Zdziarski.
“SMS is just not the best way to do this, it is depending on your mobile phone as a means of authentication [in a way] that can be socially engineered out of your control.” [ 4 ]
Another vulnerability of SMS based MFA was demonstrated in Operation Emmental, banking malware was used to scrape SMS One-time passwords from Android Phones. This is just another example of how SMS based MFA is susceptible to exploitation. [ 5 ]
The U.S. National Institute of Standards and Technology (NIST) has revised its multi-factor authentication security guidelines to discourage SMS based MFA, and encourage the use of more robust MFA alternatives.
More robust methods of multi-factor authentication
In general, systems that use physical security keys such as smart-cards, or generate login tokens through applications are a stronger form of multi-factor authentication than SMS based MFA.
However, there are over 200 multi-factor authentication vendors, it can be difficult to choose the correct vendor and method of MFA. Alienvault Inc’s security blog has a detailed post outlining the strengths and weaknesses of different MFA methods. [ 6 ]
References: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf  https://duo.com/blog/state-of-the-auth-experiences-and-perceptions-of-multi-factor-authentication  http://dailycaller.com/2017/01/04/an-18-piece-of-tech-might-have-prevented-a-giant-email-headache-for-john-podesta-dnc/  https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/  http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf  https://www.alienvault.com/blogs/security-essentials/is-your-multi-factor-authentication-solution-the-real-thing
About the Author:
Louis Powers is an information security consultant at A2 Cybersecurity in Stony Point, New York.