Weighing Your Multi-Factor Authentication Options

At this point most of us have heard that securing our accounts with only passwords, no matter how complex, is not enough. Do not get me wrong, requiring strong passwords (14 or more characters, composed of uppercase and lowercase letters, and including symbols and numbers) is essential along with ensuring they are changed frequently, that old passwords are not reused, and that the same password is not used for multiple accounts. The combination of complexity, changing passwords, and using unique passwords for each account will help protect against brute force attacks and credential stuffing attacks. However, users are still vulnerable to phishing (which is getting more sophisticated) and to the age-old problem of insecure user behavior (writing your password on a sticky note and keeping it under your keyboard).

The solution is to use a combination of tools and training to try and reduce the threat surface as much as possible, because it is impossible to remove the threat entirely. We want to enforce complexity and password requirements logically with something like group policy, and for password uniqueness we would use a password manager (my favorite is Bitwarden). Then we need to ensure our users know not to write their credentials down or keep them stored in clear text on their desktop, which we will try to prevent through security awareness training. Security awareness training will also help our employees spot out phishing attempts and social engineering attacks.

All the above is a good start and will put us in a much better position than before, but there is still more we can do. Phishing attacks are getting more sophisticated and no matter how much training we give employees, all it takes is one click or to enter a password into a legitimate looking login screen for the account to be compromised. The next thing we want to do is add multi-factor authentication (MFA). However, not all MFA solutions are created equally, so what are our options?

The most common solutions for MFA are:

• SMS
• Time-based one-time password (TOTP)
• Security key

Each one of those provide an additional layer of security, but some are better than others. Ideally, we would not use SMS as our method of MFA. Although it is effective at protecting against automated bots, it is not effective against targeted attacks such as SIM swapping and porting. If SMS is the only option available, there are ways to make it more secure such as using a number generated from a VOIP app which will protect against SIM swapping and porting. That leaves us with TOTP and security keys.

TOTP is going to be the easier of the two to implement. This is accomplished by installing an authenticator app on your phone such as Microsoft Authenticator and then connecting your account to that app. The app will generate a random string of digits (typically six digits long) that will expire in anywhere from minutes to seconds. The user must manually enter the code into a prompt prior to the key expiring. As said previously, this will likely be the easiest to implement as modern network architecture has largely been designed to work with TOTP. TOTP is not without its faults though. It can be susceptible to attacks such as social engineering that target recovery codes (codes that do not change with time and are meant to recover an account in the event a user loses their phone).

Lastly, we have security keys (such as YubiKeys and Google’s Titan Security Key). These are the most secure of the options mentioned. They provide the best protection against phishing attacks, due to the exact domain name of the website being considered when the security key is registered (meaning even if you tried to log into the phishing site it would not allow you too). Security keys also prevent replay attacks, and due to them requiring the user to touch the key prior to use, force the user to be present to work. Unfortunately, nothing is entirely perfect. The downside of security keys is that they can be costly, and they are not always compatible with all devices, operating systems, websites, and browsers.

Figuring out which solution is best for you is a challenging proposition. Many organizations engage the assistance of a third-party cybersecurity consultant (such as Compass IT Compliance) when evaluating what controls to implement or strengthen. Compass IT Compliance is an industry leader in providing IT security, compliance, and risk management services to organizations of varying size and complexity. Our password policy templates, phishing assessments, security awareness training, and dark web monitoring services provide a holistic approach to swiftly strengthening an organization’s account security. Contact us today to learn more!