Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


02:30 PM
Connect Directly
E-Mail vvv

Not All Multifactor Authentication Is Created Equal

Users should be aware of the strengths and weaknesses of the various MFA methods.

"Two-step verification," "strong authentication," "2FA," and "MFA." Far more people are familiar with these terms today than just a few years ago. Multifactor authentication — or simply MFA — solutions are designed to protect their users' credentials and simplify password management by adding at least one more factor to the authentication process beyond a simple password. These additional factors could be something you have (such as a token), something you are (like a fingerprint or iris scan), or something else you know (like a passphrase). As credential theft has attracted more attention in the security industry, many MFA solutions have flooded the market. That raises this question: Are all MFA methods equally effective?

In truth, there's a wide range of approaches to MFA, and some are much more secure than others. Let's analyze some common MFA methods and explore which factors of verification are more or less effective:

SMS one-time passwords (OTPs): Using SMS as a second authentication factor is common. A random, six-digit number is sent to the user's phone number using SMS, so theoretically only the person with the right mobile phone will be able to authenticate, right? Wrong. There are several proven ways to hack an SMS OTP. For example, news and entertainment website Reddit was breached in mid-June 2018 via an SMS intercept. Although the hack didn't obtain much private information (and Reddit did an excellent job responding to the incident), it shows that SMS authentication is not as secure as often assumed. For example, one can intercept an SMS by exploiting cellular network vulnerabilities. Or malware installed on a victim's phone can redirect the SMS to the attacker's phone. A social engineering attack to a phone carrier may let an attacker get a new SIM card associated with the victim's number and receive the OTP message instead. In fact, US standards-setting agency NIST deprecated SMS authentication in 2016, indicating it no longer considered it a secure method of authentication. Unfortunately, the many companies that continue to rely on SMS OTPs are giving users a false sense of security.

Hardware tokens: One of the oldest MFA methods still in use, hardware authentication tokens often come in a key-fob format with a display showing time-based OTPs. The hardware itself protects its internal unique key, but there are downsides. Users have to carry them around, they're expensive, require logistics, and must be changed from time to time. Some hardware tokens require a USB connection, which can be tricky if you need to authenticate from your mobile phone or tablet.

Mobile tokens: The most common mobile tokens work like hardware tokens, but as a mobile app. The best thing about them is that the user doesn't need to carry anything other than a smartphone. The real trick is to check how the unique key gets inside it, the "activation process." Providing all keys and credentials on a QR code, such as via Google Authenticator, is usually not a good idea. Anyone that gets a copy of that QR code will have a cloned version of your token.

Push-based authentication tokens: An evolution from regular mobile tokens and SMS, the use of the secure push technology to authenticate is getting quite popular because of its improved usability. Unlike SMS, the push message won't carry the OTP. Instead, it will carry an encrypted message that can be opened only by the specific app on the user's phone. So, the user will have contextual information to decide if the login attempt in question is genuine, and then can quickly approve or deny the authentication. If approved, a unique OTP should be generated internally by the token on the user's phone and sent back with the approval to verify it. Not all MFA solutions do this, which increases the risk of a push approval message being mimicked or spoofed. 

QR code-based authentication token: While a push-based token requires a data connection from the phone, QR code-based authentication works offline and provides the contextual information through the QR code itself. The user scans the QR code on the screen with the authentication mobile app, then types the OTP that the mobile app generates based on the unique key, the time, and the contextual information. This smooth user experience is important, which is why push-based and QR code-based tokens are becoming popular. If an MFA method slows down the login process too much, people might not use it and be more vulnerable to the risks of password insecurity.

Here we can see the benefits and potential drawbacks of each type of authentication. But there are other interesting considerations when choosing an MFA solution. For example, most people would think that a hardware token is more secure than a mobile token with push and QR technology. It's not. Let's say someone from Russia tries to get through a company's VPN, using a stolen credential. If the user has a hardware token, the attacker could potentially call or send a phishing e-mail, convincing the user to give away an OTP, just by using social engineering; and a good number of users would give it. Now let's say the same user receives a push message saying something like: "Yourusername requests connection to your VPN from a computer in Russia. Do you accept?" Hard to convince the user to accept this connection, don't you think?

As you can see, there are many different types of authentication, but not all of them will give you the same level of security. A push-based token can be more effective than a hardware token, but not all push-based tokens work the same way. If you are rolling out an MFA solution, make sure you address all of these points and establish a clear understanding of what level of security and risk you're getting with your MFA method of choice.

Related Content:



Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Alexandre Cagnoni is an expert in authentication, currently focused on the cloud-based multifactor authentication solution from WatchGuard Technologies in Brazil and APAC. He has almost 20 years of experience working in the cybersecurity and authentication market and has ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...