Multi-Factor Authentication – which method should you choose?
Just today I had a partner get in touch with me to say they had received 15 Microsoft Authentication Verification text messages in less than an hour, clearly showing that their account was in the process of being compromised. And it got me thinking about the variety of different MFA options out there– which is the most secure?
Multi-factor authentication is essential. In the case of this partner, it’s likely that their account would already have been compromised had he not enabled MFA. You cannot rely on passwords to secure your data any longer. Regardless of composition and length, your password can be compromised in numerous different ways i.e. credential stuffing, phishing, keystroke logging and more. In these cases the attacker is either given the password or it’s intercepted so even if you had a very complex pA$sw0R2, it’s not going to protect you here.
There are generally three recognised types of authentication:
- Something You Know i.e. passwords, PINs, combinations etc. basically anything that you can remember and then recall when needed.
- Something You Have i.e. keys, smart phones, smart cards etc. all items that are physical objects.
- Something You Are i.e. fingerprints, facial recognition, retina scans, and voice verification etc. any part of the human body that can be offered for verification.
When you combine 2 or more of these factors you create Multi-Factor Authentication.
But how do you choose?
Users that enable MFA on their accounts block 99.9% of automated attacks on Microsoft accounts. That includes SMS and voice. But the problem with these options is that they are built on archaic architecture that sits inside many of the telephony networks around the world. SMS and voice calls are transmitted in cleartext and can be easily intercepted by attackers and even one-time SMS codes are phishable using readily available phishing tools.
According to Alex Weinert, Director of Identity Security at Microsoft, SMS and call-based MFA are the ‘least secure of the MFA methods available today’ and the gap between SMS and voice-based MFA ‘will only widen’ in the future.
You might consider the Microsoft Authenticator App to protect your accounts. It uses encrypted communication, allowing bi-directional communication on authentication status and Microsoft are continuously updating this to provide more context and control to keep users safe. However, Weinert says that if you’re serious about security you should start building out a long-term authenticator strategy using hardware security keys such as Windows Hello and FIDO.
But that being said the numbers show that the rate of compromise of accounts with MFA enabled, in any form, is less than 0.01% so the best form of security is just one that you’re going to use and MFA needs to be that.
