Read any modern list of IT security “best practices,” and multi-factor authentication is likely to be featured. That makes sense: When configured properly, multi-factor authentication is an effective way to enhance security. Done the wrong way, however, and multi-factor authentication can do more harm than good. It can create a false sense of security for users and IT security admins alike. With that challenge in mind, keep reading for tips on doing multi-factor authentication right.
What is Multi-factor Authentication?
As many IT pros know, mult-factor authentication (often abbreviated as MFA) is an authentication technique that requires users to enter multiple “factors” to log into a system.
The first factor is typically a standard username and password combination. The second factor usually takes the form of a special token or code that is delivered to users through a separate communication channel.
You can have more than two factors, of course, but most multi-factor authentication schemes involve only two factors. (That’s why it’s common to hear folks talk about two-factor authentication, or 2FA.)
The theory behind MFA is sound: By requiring users to enter additional private information beyond a username and password in order to log in, MFA makes it harder for the bad guys to gain unauthorized access to a system. If you enable MFA, hackers will need to do more than just steal a database of passwords to access your systems.
But that doesn’t mean that enabling MFA is an ironclad guarantee against unauthorized access. On the contrary, there are several ways in which MFA can be--and often is--misused. Here are are a few of the most important:
1. Putting Too Much faith in MFA
The first common MFA mistake is simple: Admins and users place too much trust in it.
While MFA provides an extra layer of defense against unauthorized access, it’s not a silver bullet. Attackers can use various techniques to obtain the second (or third or fourth) factors required to log in.
For example, hackers could spoof a website that asks users to enter a username and password. That’s not hard to do; anyone with some basic HTML skills can make a site that looks just like the Gmail or Office365 login page. If hackers can trick users into entering usernames and passwords into the spoofed site, they can then initiate a login with the legitimate version of the site in order to prompt that site to generate a second factor and send it to the users. Then, the spoofed site would prompt users to enter the second factor that they received from the legitimate site. If the users do that, then the hackers have obtained all of the factors they need to log into the legitimate site using the compromised user’s account.
Sure, there are ways to mitigate the risk of this type of scenario playing out. You can try to detect and block spoofed sites in your firewall, for instance.
But the bottom line is that it is impossible to guarantee that multi-factor authentication will always protect against unauthorized access. Like passwords, MFA should always be assumed to have the potential to fail.
2. Making MFA Optional
If you’re going to enable MFA for a given system, you might as well go all in. Avoid the mistake of letting users pick and choose whether to use it.
Sure, there could be some exceptions to this rule. For one thing, there are situations in which MFA truly is overkill.
But, generally speaking, it’s a bad idea to enable MFA for your users but make it optional. Doing so means that some users or accounts end up with a greater level of security than others, which makes threats harder to predict and assess at a collective level.
Making MFA optional also increases the likelihood that some users will gain a false sense of security from MFA. They might think that if they have chosen to use MFA, they are inherently safer than users who decide not to enable it, or that the bad guys will go after the non-MFA-protected accounts first. There is no guarantee that that is true.
The bottom line: If you set up MFA for your users, require them to use it, unless you or they have a truly good reason not to.
3. Using Only Two Factors
As noted above, most multi-factor authentication schemes have only two factors. But there is no law that says you have to stop with two factors. Consider having three, or even four. The more factors you require, the harder it becomes for the bad guys to gain unauthorized access.
Of course, more factors means more hassle for your end users. It’s important to balance that consideration with your plans. But at the end of the day, major IT data breaches are typically a bigger hassle for everyone than is a multistage login process.
4. Relying on Text Messages for the Second Factor
One of the most common ways to send users the second factor in an MFA scheme is to dispatch a text message to their phones. It’s easy to see why admins do this. Almost everyone has a phone, and personal phones are usually more or less secure.
The risk of the text-message approach in MFA, however, is that text messaging is easy for attackers to abuse. Hackers can relatively easily impersonate a user and convince a mobile phone service provider to change a target’s phone number, giving the attackers access to the second factor sent by text message. Plus, given that many people can now access text messages not just on their mobile phones, but also through apps on their PCs or other devices, attackers have a variety of potential paths for gaining access to second factors sent via text message.
Instead of text messages, admins should consider using dedicated applications, such as Microsoft Authenticator, to send users a second factor.
Multi-factor authentication is a powerful strategy for making systems more secure. But it’s not a panacea. Devising an MFA solution that actually delivers on its promise requires careful planning, and some outside-the-box thinking about which MFA tools and rules to use.