2FA/MFA Revisited

Seven(!) years ago, I wrote a bit about security breaches and how two-factor authentication mitigates that risk. Today is as good a day as any to revisit the subject because of this:

The results of Elon Musk and friends turning off one of the microservices responsible for two-factor authentication for accessing your Twitter account.

In the years since I wrote that post, the availability of multi-factor authentication as an option for securing access to websites and other online systems has only grown. Face ID came out with the iPhone X and expanded to other parts of Apple’s hardware lineup, and YubiKeys have become far more prevalent in usage. The previous iteration of this blog didn’t have MFA protecting admin access, but the current one does. The websites that give me access to my brokerage account and various retirement accounts are now all protected by some form of MFA. The issue highlighted in the tweet above is specific to using SMS as the second factor for gaining access to your Twitter account. The service responsible for sending the code you type in to verify that you’re the legitimate accountholder was turned off. So for those users who only had Text message as their Two-factor authentication option, they might not have been able to get back into their account as a result.

In my case, I wasn’t impacted because I’d actually turned Text message off as a second factor in favor of two other options: Authentication app, and Security key. Authentication app options include Google Authenticator, Microsoft Authenticator, Authy, Symantec VIP, and many others. Once installed on your mobile phone, they all work in a similar way: they generate a random sequence of 6-8 numbers every 30 seconds. If you’ve set up an online account to require such a number for access, you must provide it (along with your username and password) before the 30 seconds expires to gain access. Security key eliminates the stand-alone app requirement in favor of plugging a physical key (like the Yubikey 5Ci which I use) into whatever laptop or mobile phone where you’re trying to access an account and touching it to generate a code that give you access.

MFA options in descending order of difficulty for hackers to breach:

  1. Security key
  2. Authentication app
  3. SMS

To be clear–SMS as a second factor is much better than nothing. But if you don’t also secure the account you have with your cellphone provider with MFA and/or a PIN, a determined attacker could take over your account and redirect the SMS message to a device they control. An authentication app is much more secure, but as I discovered to my chagrin when researching this post, not impenetrable. The security key option is the only one of the three that requires physical access to you (and/or your stuff) in order to steal the thing necessary to get access to your accounts. For that reason, I’ve been switching my online accounts to use the security key option wherever it’s available.

The advice from seven years ago to use a password manager still holds. 1Password remains my preferred option for this. They’ve added support for MFA to their product, which is an option worth considering for less-technical users who don’t want to use a stand-alone authentication app or a security key.

The most detailed piece on the potential consequences of not using MFA remains this Wired piece from a decade or so ago. This is the sort of thing that what I’ve shared in the previous paragraphs is intended to help more people avoid.

Security Breaches and Two-Factor Authentication

It seems the news has been rife with stories of security breaches lately.  As a past and present federal contractor, the OPM breach impacted me directly.  That and one other breach impacted my current client.  The lessons I took from these and earlier breaches were:

  1. Use a password manager
  2. Enable 2-factor authentication wherever it’s offered

To implement lesson 1, I use 1Password.  It runs on every platform I use (Mac OS X, iOS and Windows), and has browser plug-ins for the browsers I use most (Chrome, Safari, IE).  Using the passwords 1Password generates means I no longer commit the cardinal security sin of reusing passwords across multiple sites.  Another nice feature specific to 1Password is Watchtower.  If a site where you have a username and password is compromised, the software will indicate that site is vulnerable so you know to change your password.  1Password even has a feature to flag sites with the Heartbleed vulnerability.

The availability of two-factor authentication has been growing (somewhat unevenly, but any growth is good), but it wasn’t until I responded to a tweet from @felixsalmon asking about two-factor authentication that I discovered how loosely some people define two-factor authentication.  According to this New York Times interactive piece, most U.S. banks offer two-factor authentication.  That statement can only be true if “two-factor” is defined as “any item in addition to a password”.  By that loose standard, most banks do offer two-factor authentication because the majority of them will prompt you for an additional piece of “out of wallet” information if you attempt to log in from a device with an IP address they don’t recognize.  Such out-of-wallet information could be a parent’s middle name, your favorite food, the name of your first pet, or some other piece of information that only you know.  While it’s better than nothing, I don’t consider it true two-factor authentication because:

  1. Out-of-wallet information has to be stored
  2. The out-of-wallet information might be stored in plain-text
  3. Even if out-of-wallet information is stored hashed, hashed & salted, or encrypted with one bank, there’s no guarantee that’s true everywhere the information is stored (credit bureaus, health insurers, other financial institutions you have relationships with, etc)

One of the things that seems clear after the Get Transcript breach at IRS is that the thieves had access to the out-of-wallet information of their victims, either because they purchased the information, stole it, or found it on social media sites they used.

True two-factor authentication requires a time-limited, randomly-generated piece of additional information that must be provided along with a username and password to gain access to a system.  Authentication applications like the ones provided by Google or Authy provide a token (a 6-digit number) that is valid for 30-60 seconds.  Some systems provide this token via SMS so a specific application isn’t required.  By this measure, the number of banks and financial institutions that support is quite a bit smaller.  One of the other responses to the @felixsalmon tweet was this helpful URL: https://twofactorauth.org/.  The list covers a lot of ground, including domain registrars and cryptocurrencies, but might not cover the specific companies and financial institutions you work with.  In my case, the only financial institution I currently work with that offers true two-factor authentication is my credit union–Tower Federal Credit Union.  Hopefully every financial institution and company that holds our personal information will follow suit soon.