Choosing a secure MFA solution

AdobeStock_274730693_1400x875_acf_cropped

At Stripe OLT, we’ve seen a massive increase in organisations that are starting to implement basic best practise policies and procedures. For many, setting up easy and immediate solutions, like password managers and switching on Multi-Factor Authentication, has been the first place to start.

Multi-Factor Authentication (MFA) is an effective and well-known security best practise which both businesses and individuals should already be utilising. This essentially refers to a method of security in which a device requires more than one form of verification before granting access – rather than relying on an easily compromised static password. In fact, based on Microsoft research, enabling MFA to your device results in your account being 99.9% less likely to be breached.

However, for those that have recently taken the first step and switched on MFA, it’s worth noting the recent warning from Alex Weinert, Microsoft’s Director of Identity Security. His recent announcement has urged users to avoid phone-based MFA solutions, stating that “SMS and call-based MFA are the least secure of the MFA methods available today”, for a variety of reasons:

Examples of telephone-based MFA solutions can include one-time passcodes (OTP) sent by SMS or received via voice calls, and whilst this added layer of security is preferable over nothing – it is the insecure and unprotected telephone networks that are the problem, not the MFA solution.

The Problem

No Encryption

Due to practicality, SMS and voice protocols cannot be encrypted, essentially because it would prevent users from being able to read them – Therefore, hackers are easily able to intercept these messages. They use techniques, like installing a software defined radio, or utilising an SS7 intercept service, to spy on phone traffic and intercept messages.

Social Engineering

Hackers often target employees at phone networks, manipulating them into call forwarding or SIM swapping – essentially resulting in the hacker receiving the OTP or calls on behalf of the user.

Performance Issues

Downtime is not unusual for phone networks, due to the changing regulations and general unreliability – this therefore effects the overall performance of MFA solutions as users may not be able to access the messages when needed.

Essentially, SMS and voice-based MFA solutions appear dated and unreliable when compared to the rising sophistication of cyber crime in today’s digital landscape. The widespread adoption of MFA mechanisms has prompted attackers to evolve and thus attempts to breach MFA authentications are becoming more common – with phone-based solutions having the highest likelihood for success.

However, it’s not all doom and gloom…

The Solution

A good starting point, for a reliable MFA solution, is Microsoft’s Authenticator MFA app – it’s free to download on your mobile device and provides a dependable level of security on top of your password.

In addition, the Authenticator uses encrypted communication alongside other security measures, such as hidden notifications, an app lock, and sign-in history. Some highlights from Microsoft’s Authenticator include:

Password-less Sign In

Using the Authenticator app, users can sign-in to their personal accounts using biometrics such as facial recognition or a fingerprint instead of a static password.

Two-Step Verification

You can set your device to still require a password in addition to your fingerprint, PIN or facial recognition in order to add further security.

Time-Based, One-Time Passwords

The Authenticator app still supports time-based, one-time passwords, allowing you to add and safeguard additional accounts to the app.

Ultimately, a phone-based MFA is better than no MFA at all – whichever method you opt to have it is essential to use at least use one MFA solution – after all, accounts using this have a compromise rate of less than 0.1% across the population.

However, in utilising an app-based authenticator, rather than a phone-based solution, you benefit from additional layers of security, whilst alleviating the risks associated with phone-networks and providers.