Multi Factor Authentication
The last post covered the importance of having a strong password. Your password can be a million characters long - without an extra layer of protection you are still vulnerable.
This extra layer of protection is referred to as multi-factor authentication - meaning you need more than your password to log in. There are several forms of multi-factor authentication, we'll quickly discuss the different options and how secure they are.
SMS
Many websites ask for your mobile number to provide you with an OTP (one-time passcode). While this option is better than not having any multi-factor authentication at all - it is still not particularly secure.
Hackers and fraudsters can intercept SMS messages through various techniques.
One of these techniques is an "SS7 Hack". SS7 is short for Signalling System No 7 which is the system that facilitates connections between mobile phone networks. Anyone with access to this system can intercept SMS messages, listen to voice calls and track target movements.
Another common method is "sim swapping" or "sim jacking". Irrespective of the name used, the method is the same, a hacker or fraudster attempts to convince your mobile phone network operator to port your number over to a new sim card in their possession. This is usually done through social engineering. Network operators are aware of this issue but it is still very much a present threat.
I think we can all agree that this option is not particularly secure.
Authenticator App
Many well-known applications can provide OTPs. These include Microsoft Authenticator, Google Authenticator, Authy, and many more.
These apps are straightforward to set up and relatively secure. The usual process involves scanning a QR code and entering the code produced to sync the authentication platform with the account provider.
If the OTPs are stored locally, a threat actor would have to compromise the device itself to access the code. If you are using a cloud-based manager the threat actor could potentially hijack the account. Irrespective, this option is more secure than using SMS as 2FA.
I'm sure advanced authenticator attacks exist, I've mentioned these two as general concepts.
Hardware Key
The hardware key is by far the most secure option when it comes to 2FA / MFA. In short, if you don't have access to the key you will not be able to access the account. This reduces the risk of compromise drastically as an actor would need the physical key + your password to gain access. Unfortunately, this also means that if you lose the key, you will also be locked out of your accounts, that is why it is recommended that you setup multiple keys using some as backups.
One of the more popular hardware keys on the market is from Yubico - they have a range of keys targeted at users of different platforms.
Note: While using a hardware key is the most secure option, many account providers will not allow you to just use a hardware key as your 2FA option. Most will insist that you also use an authenticator app or SMS 2FA. In this scenario, your security is only as good as the security associated with using an authenticator app or SMS 2FA.
