Multi-Factor Authorization (MFA) During Cellular Network Outage

Multi-factor authentication (MFA) stands as a crucial safeguard in thwarting unauthorized access to accounts. Traditionally, one of the most widespread practices has been the use of a mobile device as a key component in this security measure. Users typically receive a one-time password (OTP) or a verification code on their registered mobile phone number, delivered via SMS text message or voice call. This method has been widely adopted due to its simplicity and effectiveness.

However, recent incidents involving cellular network outages have highlighted a significant vulnerability in this approach. Numerous users have experienced difficulties in bypassing the MFA process to access their accounts during these outages, exposing a critical reliance on mobile networks for security verification and the need for more resilient authentication methods.

Introduction to Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a security mechanism that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction. MFA aims to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network, or database. If one factor is compromised or broken, an attacker still has at least one more barrier to breach before successfully breaking into the target.

The concept of MFA is not new; it has evolved over time with the advancement of technology. The origins of MFA can be traced back to the use of multi-factor authentication mechanisms in military and security contexts several decades ago, but it became more prominently recognized and adopted in mainstream applications in the early 2000s. The three main types of authentication factors include something you know (knowledge), something you have (possession), and something you are (inherence). Knowledge factors include passwords and PINs; possession factors include bank cards, mobile phones, or smart cards; and inherence factors include biometric verification such as fingerprints, facial recognition, or iris scans. Advances in technology have also introduced location and time as additional factors, further enhancing security measures.

Recent Cellular Network Outages

Last week, AT&T experienced a significant service outage affecting thousands of customers across the United States, primarily due to a procedural error during network expansion efforts. The disruption began early on Thursday, with service fully restored by the afternoon. Initial investigations suggested the outage was triggered by the application of an incorrect process, not by malicious activity. Over 32,000 reports of outages were recorded early in the morning, with numbers peaking at over 71,000 before 8 a.m. ET, impacting major cities such as Houston, Chicago, Dallas, Los Angeles, and Atlanta. While AT&T quickly acknowledged the issue and worked towards resolution, other carriers like Verizon, T-Mobile, and AT&T-owned Cricket Wireless also reported disruptions, mainly affecting attempts to connect with AT&T users. The incident raised concerns about reaching emergency services, prompting public safety announcements on alternative communication methods. The Federal Communications Commission has launched an investigation into the matter, supported by the Federal Bureau of Investigation and the Department of Homeland Security, although there is no indication of a cyberattack being involved. AT&T has apologized to its customers and is taking measures to prevent future occurrences, highlighting the incident as primarily a result of human error related to cloud configuration.

On February 13th, 2023, T-Mobile customers across the United States experienced widespread network disruptions, impacting their ability to make calls and use other services. The issues were reported from coast to coast, affecting users in various states, with some experiencing intermittent service or complete outages over extended periods. DownDetector recorded a surge in complaints, exceeding 80,000 reports. Many users noted a lack of cellular connection, with their phones displaying the emergency SOS satellite indicator instead. Despite the challenges, T-Mobile began to regain control of the situation by late evening that same day, although customers expressed dissatisfaction with the disruption. The company acknowledged the problems on social media, stating efforts were underway to quickly address the intermittent impacts on voice, messaging, and data services in several regions. T-Mobile attributed the service interruptions to an issue with a third-party fiber connection.

In November of 2023, Australia faced a significant disruption when an outage at Optus, the country's second-largest telecommunications provider, severed internet and phone connections for nearly half its population, impacting over 10 million people for around 12 hours. This widespread interruption not only incited considerable frustration and anger among customers but also sparked concerns about the resilience of the nation's telecommunications infrastructure. In response to the chaos that affected payments, transport, and healthcare services, and approximately 40% of Australians, the government announced an investigation into the incident. Optus attributed the service disruption to a network event that led to a cascading failure, explicitly ruling out a cyberattack, and promised free data to customers as a gesture of goodwill for their patience and loyalty. The Communications Minister Michelle Rowland expressed particular concern over the outage, emphasizing the importance of learning from the incident, as the government initiated a review process.

Prevent MFA Account Lockouts During Cellular Outages

To mitigate the risk of being locked out of your account during a cellular network outage, it's wise to diversify your multi-factor authentication (MFA) methods ahead of time. Instead of relying solely on one-time passwords (OTPs) sent via SMS or voice call, consider setting up alternative authentication factors. Many platforms offer a range of MFA options, including authenticator apps such as Google Authenticator or Microsoft Authenticator, which generate time-based OTPs independently of your cellular network. Exploring the use of physical security keys can further bolster your access resilience. These USB or NFC devices serve as a form of hardware authentication that does not depend on network connectivity. By inserting the key into a device or tapping it against a compatible device, you can authenticate your identity securely. Biometric options and backup codes also offer additional options to diversify your authentication factors. Preparing for potential outages by registering multiple MFA methods on your accounts not only enhances security but ensures that you maintain access to your accounts, even when one authentication pathway is compromised. Proactive steps like these safeguard against the inconvenience and potential security risks associated with network outages, keeping your digital life uninterrupted.

How to Use MFA When You Don’t Have Cellular Service

Enabling multi-factor authentication (MFA) with only a one-time password (OTP) via SMS or voice call as your authentication factor can place you in a bind during a cellular network disruption. This is because the MFA code needed to access your account won't be delivered to your mobile device, effectively barring entry into your account. Additionally, you won't have the capability to add another authentication method while locked out.

Nevertheless, there are strategies to regain access to your account amidst a cellular outage. One potential route is reaching out to the customer support or administration team of the service you're attempting to access. If you can establish contact, which may be challenging during an outage, and successfully verify your identity, they might temporarily disable the SMS or voice call MFA, allowing you to log in and set up an alternative MFA method. However, this approach may not always be viable due to security concerns and the risk of impersonation by malicious entities.

An alternative and more reliable solution is to activate Wi-Fi calling and texting settings on your device. These features, typically turned off by default, enable your phone to send and receive calls and texts over Wi-Fi instead of relying on cellular networks. This can be useful in scenarios where cellular service is weak or nonexistent, but a strong Wi-Fi connection is available. By enabling these settings, your device should automatically switch to Wi-Fi for calls and texts, allowing you receive MFA codes, provided that the service's authentication system is not hindered by the same network issues.

How Secure Is MFA Based on SMS and Voice Calls?

While relying on SMS and voice call for multi-factor authentication (MFA) adds a layer of security beyond just a password, it's not without its vulnerabilities. These methods depend on the security of mobile networks, which can be breached, making the transmission of codes—a process conducted openly for both SMS and voice calls—prone to interception by attackers with sufficient determination and resources. The main security flaw lies not within MFA itself, but in the method of code transmission, which lacks encryption and exposes sensitive information to potential interception.

We recently authored a blog discussing the vulnerabilities associated with SMS-based MFA. Additionally, Alex Weinert, Director of Identity Security at Microsoft, has spent the past few years advocating for users to move beyond SMS and voice call MFA. He highlights that these methods, which rely on the publicly switched telephone networks (PSTN), are the least secure forms of MFA due to their susceptibility to various hacking techniques. Attackers can intercept SMS messages through tactics like SIM swapping, where the attacker deceives the mobile provider into transferring the victim’s phone number to a device under their control, or through SS7 attacks, exploiting flaws in the mobile network's signaling system to reroute messages. Weinert's advice underscores the need for a shift towards more secure MFA methods that are less vulnerable to such exploits.

In Conclusion

While multi-factor authentication (MFA) significantly enhances account security, recent cellular network outages have underscored the vulnerability of relying solely on SMS and voice call methods. These incidents highlight the importance of adopting more secure and reliable MFA methods that do not depend on cellular networks, such as authenticator apps, physical security keys, biometric options, and backup codes.

As organizations navigate these challenges, Compass IT Compliance offers invaluable support by helping them evaluate their security controls and align cybersecurity strategies with business objectives. By leveraging Compass IT Compliance's expertise, businesses can ensure that their MFA practices not only offer robust security but also maintain accessibility and user convenience, even in the face of cellular network outages. This proactive approach to cybersecurity enables organizations to protect sensitive information and user accounts from unauthorized access, thereby upholding trust and continuity in their digital operations. Contact us today to explore our comprehensive suite of security solutions!