One of the most effective ways an organise can prevent an adversary from gaining access to a device or network and accessing sensitive information, is to implement multi-factor authentication. Multi-factor authentication or MFA for short, can make an attempt to steal legitimate credentials and facilitate further malicious damage on a network a lot more difficult for adversaries, when implemented correctly.

The content contained provides guidance and definitions about multi-factor authentication, the different types of multi-factor authentication and the reason some are more secure than others. And note, the more secure the multi-factor authentication, the more effective it is. In addition, it explains the difference between multi-factor authentication to multi-step authentication.

Multi-factor authentication ought to be implemented for

  • remote access solutions
  • users performing privileged actions
  • users accessing important (sensitive or high availability) data repositories

When compared to single-factor authentication methods like passwords or passphrases, multi-factor authentication provides a secure authentication mechanism that is not as susceptible to brute force attacks.

Why multi-factor authentication is important?

Firstly, when an adversary compromises a network, they also want to attempt to steal legitimate user or administrative credentials. In other words, because they want to conduct malicious activities and slip through undetected, they utilise legitimate credentials to allow them to easily propagate on a network, without additional exploits. And they can cause all the trouble they want whilst going undetected.

Secondly, adversaries will also try to gain credentials for remote access solutions including Virtual Private Networks (VPNs). This is true especially since COVID-19 and everyone is working from home, as VPN access can further reduce the likelihood of being detected, and great at masking their malicious activities.

But when correctly implemented multi-factor authentication makes it increasingly difficult for the adversary to steal a complete set of credentials. That’s because the user must prove they have access physically to a second factor. For instance, a physical token, smartcard or software certificate or a fingerprint or iris scan.

Most importantly, multi-factor authentication must be implemented correctly to minimise security vulnerabilities. We can’t stress this point enough. It also eliminates a false sense of security, when in truth the network could still be open to vulnerabilities. For example, if the MFA is used for remote access but not corporate workstations. An adversary could then:

  1. compromise the username/passphrase from a device used for remote access and then use it to authenticate either locally to a corporate workstation
  2. propagate within a network after compromising an initial workstation on the network via spear phishing techniques.

In other words, multi-factor authentication for remote access is significantly better than single-factor authentication, in this scenario. But it still does not invalidate the need for suitable protection in the hardened devices as well, to be deemed a comprehensive remote access solution.

What is multi-factor authentication?

Multi-factor authentication is described as ‘an electronic method of authentication which grants the user access once two or more authentication factors are authenticated. In other words, the user is verified.

To authenticate the single user that constitute a multi-factor authentication request must come from two or more of the following:

  • something the user knows (e.g. a personal identification number (PIN), password or response to a challenge)
  • something the user has (e.g. a physical token, smartcard or software certificate)
  • something the user is (e.g. a fingerprint or iris scan).

In addition, the user/claimant being authenticated could be a person, device, service, application or any other security principal that can be authenticated within the system.

It’s common for multi-factor authentication to use passphrases and then one or more of the following multi-factor authentication methods:

  • Universal 2nd Factor (U2F) security keys
  • physical one-time PIN (OTP) tokens
  • biometrics
  • smartcards
  • mobile apps
  • Short Message Service (SMS) messages, emails or voice calls
  • software certificates.

At any time if an authentication method offers the user the chance to lessen the authentication factors to a single factor, it is no longer deemed multi-factor authentication. For example, if ‘remember this computer’ is offered to the user for a public web resource and accepts. In this case the user was initially authenticated using MFA, but now subsequent authentications use a single factor (usually a passphrase). A token is set on their device so if the token on their device is accessible and valid, they are still using single factor authentication. The web browser is now able to authenticate the user rather than the user. In other words, it nullifies the need for two or more authentication factors to authenticate a single claimant or user.

Multi-factor authentication versus multi-step authentication

Often multi-factor authentication is confused with multi-step authentication. Multi-step authentication is defined as accessing resources in sequence through multiple authentication verifiers. Access is granted as each authentication is verified, steadily increasing the access to privileged areas in the system. This is continued until the desired access is achieved. And these authentication verifiers may be single-factor or multi-factor in nature.

It is easier for an adversary to bypass multi-step authentication compared to multi-factor authentication, even though using multi-step can improve the security of a system. That’s because there is no single point within the verifying stage that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier. Therefore, an adversary can systematically compromise the system, gaining more privileged access as they go. In other words, they never have to overcome the requirement for multi-factor authentication as they compromise the system. Certainly, multi-step authentication is not a suitable substitute for multi-factor authentication, for this reason.

In the scenario below a remote access solution,

  1. a computer has an Internet Protocol Security (IPsec) certificate that authenticates the computer to the VPN concentrator
  2. a user has a passphrase that authenticates them to the VPN concentrator and then a passphrase that authenticates them to the Active Directory (AD) domain.

In this case multi-step authentication, is demonstrated. In other words, there’s no multi-factor authentication implemented. To clarify, the user and computer are considered separate claimants when authenticating to the VPN concentrator. As a result, the computer’s IPsec certificate and the user’s passphrase are not a form of multi-factor authentication. In addition, the user authenticates separately to the VPN concentrator and to the AD domain. This approach is also not considered multi-factor authentication as these authentications take place on different authentication verifiers and fail to use different types of authentication factors.

There are risks associated with this scenario that an adversary may be able to compromise at different points in time. These include:

  • may be able to compromise the computer’s IPsec certificate
  • compromise the passphrase the user uses to authenticate to the VPN concentrator
  • compromise the user’s AD credentials

With this approach the adversary can continually increase their access over time which will of course increases the level of risk.

In the next case below is a second example with remote access solution.

  1. the user is authenticated to the VPN concentrator using a passphrase and one-time PIN from a physical token
  2. all other authentication steps are the same as in the previous scenario example.

The difference in this scenario is that it is a relatively secure remote authentication compared with the last scenario with the user authenticated to the VPN concentrator with a multi-factor authentication method. On entry into the remote access environment multi-factor authentication takes place using the user’s passphrase and one-time PIN, which verifies access through to the corporate environment.

Are all multi-factor authentication methods equally effective?

Some methods of multi-factor authenticationare more effective than others. But all that are mentioned in this piece provide significant advantages over single-factor authentication. When one of the authentication factors is physically separate from the device from which the user is accessing the system or resource, that’s is when it is notably more effective. For instance, using a physical token rather than a software certificate.

Most importantly to boost the security of any method of multi-factor authentication, the authentication service (if a dedicated authentication server) as much as possible, should be hardened and isolated from the rest of the network.

At a minimum:

  • implementing the Strategies to Mitigate Cyber Security Incidents
  • implementing appropriate network segmentation and segregation to limit the types of network traffic to and from the authentication service to only traffic required for its proper operation, with particular care paid to which devices and users on the network can access the authentication service directly
  • applying advice provided by vendors about any specific hardening requirements.

Multi-factor authentication methods

U2F security keys

Referred to as either a U2F security key or U2F authenticator, this multi-factor authentication method uses a physical token or card as a second factor. Firstly, on the user’s device the software prompts the user to either press a button on the U2F security key or tap using Near Field Communication (NFC). As a result, to verify the user’s identity, the U2F security key uses public key cryptography. This is achieved by signing a challenge-response request from a service which had been passed through via a web browser or mobile app. Finally, the service verifies that the response is signed by the valid and correct private key for that service, and either grants or denies access.

The following security measures should be implemented for maximum security and effectiveness when using this multi-factor authentication method:

  • ensure users do not store U2F security keys with their devices, especially those with NFC capabilities
  • ensure users receive a visual notification each time an authentication request is generated that requires them to authenticate using their U2F security key
  • use U2F security keys that have been certified to the latest U2F specification version
  • instruct users to report any lost or missing U2F security keys as soon as practical.

Physical one-time PIN tokens

The method of using a physical token multi-factor authentication is that displays a time-limited one-time PIN on its screen as a second factor. To submit the one-time PIN on their behalf, the user may be required to press a button on a physical token, which is connected to their device. The synchronised timing on both the physical token and the authentication service occurs so it knows what one-time PIN should be used by all physical tokens that it services at a particular time. Lastly, the authentication service verifies the user’s passphrase and one-time PIN are correct either granting access or denying access to the resource.

The following security measures should be implemented for maximum security and effectiveness, when using this multi-factor authentication method:

  • harden the devices being used as much as possible, this can be achieved by (at a minimum)
  • applying any specific hardening advice provided by vendors
  • implementing the Strategies to Mitigate Cyber Security Incidents if applicable
  • do not store physical tokens with their devices – ensure users are made aware
  • set the expiry time of the one-time PIN generated by physical tokens to the lowest value practical
  • instruct users to report as soon as practical, any lost or missing physical tokens
  • unless they are certain it is being requested by their ICT support staff, ensure users know that they should never provide details (such as the serial number) of their physical token.

Biometrics

Biometrics are body measurements and calculations related to human characteristics such as using fingerprint or iris scan, as a second factor.

Firstly, the user enrols the scan of the appropriate biometric like the fingerprint. To authenticate, the user provides the passphrase along with their biometric data. Then the authentication service verifies both factors, the passphrase and the biometric data that was initially enrolled. This process either grants or denies access.

But there are likely security vulnerabilities using Biometrics as a multi-factor authentication method as biometric matching is probabilistic rather than deterministic. Why, because biometric characteristics are not secrets, especially if biometric reader converts biometric data into a hashed form. Firstly, it’s possible for an adversary to compromise the user’s device and gain elevated privileges. Secondly, they can then use the services provided by the biometric capture software to intercept and replay legitimate authentication requests or initiate fraudulent authentication requests on the user’s behalf – within the limitations of any anti-replay measures. In addition, biometrics rely heavily on the quality of the biometric readers and capture software for their effectiveness. In other words, it needs to be able to give & deny access appropriately.

the following security measures should be implemented when using this multi-factor authentication method for maximum security and effectiveness,

  • harden the devices being used as much as possible, this can be achieved by (at a minimum)
  • applying any specific hardening advice provided by vendors
  • implementing the Strategies to Mitigate Cyber Security Incidents if applicable
  • each time an authentication request is generated that requires them to provide their biometric data, ensure users receive a visual notification
  • where users cannot successfully enrol using biometrics, ensure an alternative authentication method, including supplementary security measures, is implemented for cases.

Smartcards

The smartcard uses a private key stored on a smartcard as a second factor method for multi-factor authentication.

Firstly, the user is prompted by the software on their device to enter a PIN or password to unlock the smartcard. Once this happens the software on the device verifies the user’s identity by signing an authentication request with the user’s private key, then the smartcard is successfully unlocked. Authentication happens when the authentication service verifies the request contains the correct private key. Access then is either granted or denied to the resource.

In the same vein as biometrics, smartcard also has the possibility of security vulnerability due to the software involved in interacting with the smartcard. If the adversary gains elevated privileges as they compromise a user’s device, they can possibly intercept and replay legitimate authentication requests or initiate fraudulent authentication requests on the user’s behalf – within the limitations of any anti-replay measures

the following security measures should be implemented when using this multi-factor authentication method for maximum security and effectiveness,

  • ensure users are aware – do not store smartcards with their devices
  • every time an authentication request is generated – ensure users receive a visual notification that requires them to unlock their smartcard
  • teach users to not leave their smartcard inserted into their device and unlocked
  • as soon as practical ask users to report any lost or missing smartcards.

Mobile apps

As the second factor, mobile apps are the multi-factor authentication method that uses a time-limited one-time PIN or password. Firstly, the user enrols by a

  • scanning a QR code
  • provide a phone number
  • an email address

A one-time PIN or password can be provided to them to register the mobile app.

To complete the authentication process using the mobile app method, at the logon process the user requests the mobile app to provide them with a one-time PIN or password. Once the pin or password information is provided to the authentication service, it verifies the details are either grants or denies access.

This multi-factor authentication method has the advantage of using a second factor that the user already has and therefore minimises the cost to the system owner.

But there are also disadvantages, specifically:

  • use of devices for web browsing or reading emails may mean that the device running the mobile app may no longer be secure
  • Particularly when travelling overseas many devices are not secure, and a device can be compromised by motivated and competent adversaries.

The following security measures should be implemented when using this multi-factor authentication method for maximum security and effectiveness

  • harden the devices being used as much as possible, this can be achieved by (at a minimum)
  • applying any specific hardening advice provided by vendors
  • implementing the Strategies to Mitigate Cyber Security Incidents if applicable
  • ensure the expiry time of the one-time PIN or password generated via the mobile app is set to the lowest value practical
  • as soon as practical and whether it is a user’s personal or company device, instruct users to report the theft or loss of a device running the mobile app.

SMS messages, emails or voice calls

As a second factor SMS messages, emails or voice calls multi-factor authentication method uses a time-limited one-time PIN or password provided via an SMS message, email or voice call to a device. Firstly, the user needs to enrol and give their phone number or an email address. A one-time PIN or password can be provided to them to register sent to their phone or email address. To complete the authentication process, the user requests that the authentication service provide them with a one-time PIN or password. Then the authentication service which verifies the details and either grants or denies access to resources.

This multi-factor authentication method has the advantage of using a second factor that the user already has and therefore minimises the cost to the system owner.

But there are also disadvantages, specifically:

  • depending on the users is located and the telecommunication networks coverage may affect the availability to receive a one-time PIN or password. There could be no service or coverage at all.
  • particularly when SMS messages are delivered via VoIP or internet messaging platforms use of devices for web browsing or reading emails may mean that an SMS message, email or voice call containing the one-time PIN or password may no longer be secure.
  • particularly when travelling overseas many devices are not secure. Therefore a device can be compromised by motivated and competent adversaries.
  • particularly when travelling overseas, an SMS message, email or voice call may be intercepted by motivated and competent adversaries. Note telecommunication networks do not provide end-to-end security

The following security measures should be implemented when using this multi-factor authentication method for maximum security and effectiveness,

  • harden the devices being used as much as possible, this can be achieved by (at a minimum)
  • applying any specific hardening advice provided by vendors
  • implementing the Strategies to Mitigate Cyber Security Incidents if applicable
  • set the expiry time of the one-time PIN or password provided via an SMS message, email or voice call to the lowest value practical
  • instruct users to report the theft or loss of their device, even if it is a personal device, as soon as practical.

Software certificates

This method uses a software certificate stored on a device as a second factor for multi-factor authentication.

The user’s software certificate is stored in a file, in the registry or in the Trusted Platform Module (TPM) of their device. So, when the user wishes to authenticate, the system attempts to access the user’s software certificate. The user’s identity is verified by the software installed on their device that assists them by signing an authentication request with the user’s private key. Either denying or granting access as the authentication service verifies the authentication request is signed by the valid and correct private key.

Due to a reliance on the software and the operating system installed on the user’s device is where this multi-factor authentication method has its security vulnerability. Similar to other MFA methods, it is possible for the adversary to compromise the user’s device and then the services provided by the software in order to intercept and replay legitimate authentication requests or initiate fraudulent authentication requests on the user’s behalf – within the limitations of any anti-replay measures. with a low likelihood of detection, and an adversary can gain access to both authentication factors by compromising the user’s device. In addition, there’s also the risks if an adversary can gain elevated privileges because the user’s keys and certificates can be stolen from their device and used by the adversary. Subsequently, the adversary can do damage using their own devices or infrastructure to enable prolonged and difficult to detect remote access to a network. In other words, it’s only useful for low-risk transactions or systems. So that is what is recommended for organisations.

The following security measures should be implemented when using this multi-factor authentication method for maximum security and effectiveness,

  • harden the devices being used as much as possible, this can be achieved by (at a minimum)
  • applying any specific hardening advice provided by vendors
  • implementing the Strategies to Mitigate Cyber Security Incidents if applicable
  • ensure users receive a visual notification each time an authentication request is generated that requires them to enter their PIN or password to access their software certificate
  • store the software certificate in the device’s TPM (if present), otherwise store it in the device’s certificate store rather than in a regular file on the device’s local storage
  • instruct users to report the theft or loss of their device, even if it is a personal device, as soon as practical.

In short, to stop an adversary in their tracks implement multi-factor authentication correctly and save yourself and business.

How can we make your business better with IT?