2FA/MFA Revisited

Seven(!) years ago, I wrote a bit about security breaches and how two-factor authentication mitigates that risk. Today is as good a day as any to revisit the subject because of this:

The results of Elon Musk and friends turning off one of the microservices responsible for two-factor authentication for accessing your Twitter account.

In the years since I wrote that post, the availability of multi-factor authentication as an option for securing access to websites and other online systems has only grown. Face ID came out with the iPhone X and expanded to other parts of Apple’s hardware lineup, and YubiKeys have become far more prevalent in usage. The previous iteration of this blog didn’t have MFA protecting admin access, but the current one does. The websites that give me access to my brokerage account and various retirement accounts are now all protected by some form of MFA. The issue highlighted in the tweet above is specific to using SMS as the second factor for gaining access to your Twitter account. The service responsible for sending the code you type in to verify that you’re the legitimate accountholder was turned off. So for those users who only had Text message as their Two-factor authentication option, they might not have been able to get back into their account as a result.

In my case, I wasn’t impacted because I’d actually turned Text message off as a second factor in favor of two other options: Authentication app, and Security key. Authentication app options include Google Authenticator, Microsoft Authenticator, Authy, Symantec VIP, and many others. Once installed on your mobile phone, they all work in a similar way: they generate a random sequence of 6-8 numbers every 30 seconds. If you’ve set up an online account to require such a number for access, you must provide it (along with your username and password) before the 30 seconds expires to gain access. Security key eliminates the stand-alone app requirement in favor of plugging a physical key (like the Yubikey 5Ci which I use) into whatever laptop or mobile phone where you’re trying to access an account and touching it to generate a code that give you access.

MFA options in descending order of difficulty for hackers to breach:

  1. Security key
  2. Authentication app
  3. SMS

To be clear–SMS as a second factor is much better than nothing. But if you don’t also secure the account you have with your cellphone provider with MFA and/or a PIN, a determined attacker could take over your account and redirect the SMS message to a device they control. An authentication app is much more secure, but as I discovered to my chagrin when researching this post, not impenetrable. The security key option is the only one of the three that requires physical access to you (and/or your stuff) in order to steal the thing necessary to get access to your accounts. For that reason, I’ve been switching my online accounts to use the security key option wherever it’s available.

The advice from seven years ago to use a password manager still holds. 1Password remains my preferred option for this. They’ve added support for MFA to their product, which is an option worth considering for less-technical users who don’t want to use a stand-alone authentication app or a security key.

The most detailed piece on the potential consequences of not using MFA remains this Wired piece from a decade or so ago. This is the sort of thing that what I’ve shared in the previous paragraphs is intended to help more people avoid.