BlogDefence2ND OCT 2023
AuthorSamir Yawar
7 min read
Defence

Here's How Multi-Factor Authentication Helps You Keep Cybercriminals Away

Twitter
Facebook
WhatsApp
Email
LinkedIn
A feature image for a blog about multi-factor authentication and how it works.

Imagine you have a secret diary. To keep it safe, you use not one but many locks to open it. The use of multiple locks to get access is what cybersecurity specialists call multi-factor authentication.

Because hey, passwords get discovered all the time, with 8.4 billion leaked passwords in September 2023

Why should this development concern everyone? You see, threat actors can use these leaked passwords to launch password spraying attacks against online accounts, and brute-forcing their way into your digital lifestyle. This is all the more worrying when you consider that:

What is multi-factor authentication?

Let us walk back to the secret diary we mentioned. This treasure trove of secrets requires four locks. And not just any lock but different kinds of locks at that.

  • The first lock is your regular password (something you know), like a secret word. 

  • The second lock is like a special card (something you have), like a library card. 

  • The third lock is like a picture of your face (something you are), where the diary only opens if it recognizes your face.

  • The fourth lock only works if you are present at the treehouse where the diary resides (location).

So, multi-factor authentication (MFA) is like using these multiple locks for your online accounts to make sure only you can get in. It's super safe because even if someone knows your password, they still can't get in without your special card and your face.

The best part? MFA has stopped 99.9% of account compromising attempts, proving to be the best defence against credential stuffing, brute-force attacks and password spraying. They are not completely phishing-resistant but can block most intrusion attempts by unauthorized entities.

How does multi-factor authentication work?

MFA relies on multiple types of factors to gain access to a system.

For universal security reasons, these factors can be boiled down to four different types:

While MFA methods don’t offer complete security against threat actors, it is important to state that any MFA is better than no MFA. You don’t want to make it easier for people to peek into your secret diary by guessing your password right?

Something You Know

Passwords are the simplest examples of Something You Know.

There’s a good reason why they are the most commonly used authentication method - they don’t rely on special hardware or software to work.

When you type in your password, it's a way to prove that you're the person who should have access to something, like your online account.

This is why most MFA systems use a password and at least one other factor.

Something You Have

Imagine Something You Have as having a special item, like a key to your house. It's like saying, "I have this thing that proves I should be here." 

In the digital world, it might be a card or a code sent to your phone that you need to enter. If you don't have that special item, you can't get in.

This MFA method requires you to have a secondary device. It can make it harder for attackers to compromise your system. However, it also comes with huge administrative costs to the user.

Something You Are

What about Something You Are? These are factors that make you unique. 

Think of it like a superhero with a special power nobody else has. But since this is the real world we’re talking about, it can be something like your fingerprint or face. 

When you show your face to a camera or scan your fingerprint, it proves you're you because there's no one else exactly like you.

If you are part of a business or an organization that deals with sensitive information, this MFA method is commonly used to control access to the premises.

Location

Location is like saying, "I am right here." It's proving where you are at a particular moment. Think of it as GPS for your pizza delivery - only the right location gets the pizza.

However, the location factor is not restricted to geography only. It can also refer to the source’s Internet Protocol (IP) address range. Administrators can rely on an allow-list-based approach to limit access to information.

Some security systems can use your phone's GPS or IP to check if you're in the right place to access something. So, it's like saying, "I can only do this if I'm in the right spot."

Is Multi-factor Authentication Completely Safe?

The cat-and-mouse game against hackers and new security technologies continues. Even multi-factor authentication techniques are susceptible to certain limitations, depending on the method being used:

Weak Password

MFAs are a multi-layered defense against intrusion attempts but weak account passwords can make it easier for hackers to gain access. Really, people need to create strong passwords.

Social Engineering

Getting SMS or voice-based one-time passwords (OTPs) for MFA reasons needs to be phased out. This is because this information can easily fall prey to phishing attacks and be intercepted by an attacker.

Smartphones as MFA devices

Mobile device security is commonly overlooked by security administrators as well as users. Smartphones are commonly used as authentication devices but their ubiquitous nature makes them an easy target for threat actors.

There are many scenarios where MFA codes can be hijacked by cybercriminals:

  • Lack of latest security patches

  • Unintentionally downloaded malware payloads

  • Exploiting vulnerabilities in wireless technology like Bluetooth

Biometrics are not impossible to hack

Specialized equipment that stores biometric information may be hard to crack, but not impossible. If a hacker were to get access to the unique identifiers stored in those machines, it could render most biometric countermeasures obsolete. The use of deepfakes and other artificial intelligence-based technology in circumventing these restrictions should not be treated as an afterthought.

Conclusion

Multi-factor authentication is a powerful tool to secure yourself and your organization. While it is still vulnerable to phishing attacks and social engineering techniques, using MFA is better than not using it at all. Depending on your security requirements, the more 'factors' you throw at the problem, the safer you'll be.

While you're here, why not take our fun little quiz about multifactor authentication?

Note: This blog is part of Pureversity's Cybersecurity Awareness Month 2023 coverage, aiming to empower you, your home, and your workplace with an improved cybersecurity posture.

Samir Yawar
Samir Yawar / Content Lead
Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir
FAQsFrequently Asked Questions
Multi-factor authentication (MFA) is a security process that requires users to provide two or more authentication factors to verify their identity when accessing an account or system. These factors typically fall into three categories: something you know (e.g., a password), something you have (e.g., a smartphone), and something you are (e.g., a fingerprint).
MFA is important because it significantly enhances security by adding extra layers of protection. It reduces the risk of unauthorized access, especially when passwords are compromised. MFA helps safeguard accounts and sensitive information from various cyber threats, such as hacking, phishing, and credential theft.
MFA works by requiring users to provide multiple authentication factors during the login process. For example, after entering a password (something you know), you may receive a one-time code on your smartphone (something you have) that you must also enter. Once both factors are successfully verified, access is granted.
Common authentication factors in MFA include: - Something you know: Passwords, PINs, or security questions. - Something you have: Smartphone apps, hardware tokens, or email with one-time codes. - Something you are: Biometric data like fingerprints, facial recognition, or iris scans. - Location: Confirming the user's physical or IP location.
No, MFA is designed to be user-friendly. Setting up MFA typically involves linking a second factor (e.g., a mobile app or email) to your account, which is usually a straightforward process. Once set up, MFA can be quick and convenient, providing an additional layer of security without causing significant inconvenience to users. It's a small effort for a substantial security boost.