Russ Harvey Consulting - Computer and Internet Services

Multifactor Authentication

MFA, 2FA & biometrics

Cell Phones | Authenticator Apps | YubiKey | Biometrics
MFA Issues | Going Passwordless

Multifactor authentication using fingerprint recognition on a cell phone.

Multifactor authentication (MFA) has replaced the term two-factor authentication (2FA). This implies the ability to have more than two authentication methods.

The authentication device is preferably something that is always with you and is inaccessible to potential hackers.

[T]here are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint).

 

Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as Apple's Face ID and Windows Hello.

 

But in most cases, the extra authentication is simply a numeric string, a few digits sent to your phone, as a code that can only be used once.
PCMag

In most cases, once you're set up MFA, you cannot return to password-only authentication. Recovery methods vary by vendor.

Remember this as you panic over how hard this all sounds: Being secure isn't easy.

 

The bad guys count on you being lax.

 

Implementing MFA will mean it takes a little longer to log in each time on a new device, but it's worth it in the long run to avoid serious theft, be it of your identity, data, or money.
PCMag

There are several multifactor options for devices to protect your password.

One of the earliest was confirmation via email which is still the method used to verify questionable actions like the change in a password or access from an unknown location.

These MFA options are discussed in more detail:

Return to top

Cell Phones

A cell phone is something that most people have and it is usually with them at all times.

Most commonly, SMS is used for verification, but the mobile number may also be a backup security method.

SIM Card Hijacking

Unfortunately, it appears that it isn't that hard to hijack your cellphone's SIM card.

They may only require the last 4 digits of the credit card that pays for your account to gain access to the very multifactor authentication that is supposed to protect you.

Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.
NY Times

If the Phone is Unavailable

Even in this age of ubiquitous cell phone ownership, some folks just don't have one or cannot afford the bandwidth.

The other problem is the loss of your phone or it becoming unavailable to you for other reasons such as being out of a coverage area or on holiday.

Return to top

Authenticator Apps

Given the potential vulnerability of cell phones, a better solution might be authenticator apps.

Google provides the Google Authenticator for both Android and iOS. Microsoft Authenticator app can also be used on non-Microsoft accounts.

Return to top

YubiKey Verification

This section explains the advantages of YubiKey, but there are other alternatives. Your choice should be made based upon what works best for you yet is secure enough for your circumstances.

About YubiKey

Yubico was founded to set new global authentication standards, enabling one single security key to access computers, phones, networks and online services—all in a simple touch.

 

We named our invention the YubiKey — your ubiquitous key.
YubiKey

The YubiKey is a hardware authentication device, designed to provide an easy to use and secure compliment to the traditional user name and password.

The YubiKey is a small USB and NFC device supporting multiple authentication and cryptographic protocols.

Password Invalid Without Device

Like the cellphone, a USB device like this can be used as another level of security. Unless the person attempting to use the password has the device, the password will not be accepted.

A premium edition of your password manager software may be necessary when combined with a YubiKey.

How YubiKey Connects

YubiKey is dependent upon a USB-A or USB-C port or a NFC connection plus the software to make it work.

YubiKey can be used with USB-C adapters but not all adapters worked well, including the Apple USB-C Multi-adapter.

The YubiKey is not a biometric device. The fingertip is used to activate the device, not for authentication.

Mobile Devices

Since most mobile devices lack USB ports, YubiKey provide a NFC option.

YubiKey supports strong authentication for iOS and Android smartphones and tablets.

YubiKey mobile support for iOS and Android devices.

NFC usage on iPhones is only supported on the iPhone 7 and newer, running iOS 11.3.1 and newer.

Many environments restrict mobile device use altogether making most MFA methods unusable. See how you can ensure strong security with ease, all without a cellular connection.
YubiKey

See YubiKey solutions for the latest updates.

Return to top

Biometric Verification

Biometric verification is an attractive alternative because it is difficult to duplicate and the technology is attainable.

Ensure Data Verified Securely

Apple introduced fingerprint scanning with their iPhone 5S. As Apple quickly learned, the issue is privacy and personal security.

You don't want to be sending your biometric data to every site you log onto.

Microsoft provided biometric verification in Windows 10 with Windows Hello, provided you have the supporting hardware.

Intel True Key allows you to sign in with your face or fingerprint (on supporting hardware) and provides optional multifactor authentication.

Vendors, through the Fido Alliance, are working on a standardized authentication protocol to verify your identity using a private key so that your biometric scan never leaves the device.

It is anticipated that this technology could eventually replace the tricky and risky use of passwords altogether.

It Can Be Used Against You

While convenient, you might find that biometric authentication such as your finger to open your device or personal accounts without your express permission.

Even the best technology makes mistakes, EFF's Hayley Tsukayama said. If the software confuses someone's identity, it will be important that workers have the right to appeal. The stakes are particularly high with biometric data, she says.

 

"No one can issue me new fingerprints. No one can issue me a new face. And so if that information is hacked, for example, and in a format where other people can use it, that's the whole game."
The Wall Street Journal

Choose carefully what items are verified by biometric data under certain circumstances such as when crossing borders.

Return to top

Issues with MFA

Unfortunately, MFA has begun to suffer from weaknesses and is being exploited by cybercriminals.

Business Email Compromise

Larger businesses are being subjected to an advanced phishing attack called business email compromise where emails are spoofed that request unauthorized payments.

SIM Card Fraud

SIM card fraud is where someone other than yourself convinces the cell carrier to transfer your cell number to a new SIM card.

Your phone will no longer work and the new owner will have access to all your MFA requiring access to your phone.

Going Passwordless

Another variation that isn't really a two-factor solution but which uses a similar process is discussed in how to kill the password: don't ask for one.

Instead of entering a password, you enter an email address or phone number and the temporary password lands in your Inbox or on your cell phone.

No permanent password exists.

Of course, if your email account's password is insecure (or can be hacked using weak password-recovery options) this provides no security at all.

The best option for now is an authentication app which does the same thing, but more securely.

Return to top

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/mfa.html
Updated: March 5, 2024