Thursday, January 16, 2025

Jonathan Stember

Attack, Defend, Deceive

Hacktionary

2FA

J

What is 2FA/MFA?

Two-Factor authentication, commonly abbreviated 2FA, and also known as multi-factor authentication (MFA) is a security mechanism designed to reinforce a users’ login credentials.

Sample Login Screen

Why the Need for 2FA/MFA?

In most login scenarios, a user will provide something that ideally they would only know: a username and a password. The problem is that one element generally can easily be found. Many websites use email addresses as usernames, which means you could just look at your own email address book to get an idea of potential usernames your friends, families, and colleagues might use. The other element is the password. This should be secret and unguessable by anyone or anything.

Think about how many sites you use. You probably use more than 10 websites. If someone guessed your password and knew your username, they could get into all 10 websites. Best practice dictates using unique and complicated passwords for all 10 websites. That’s not easy to remember so many people use weak passwords, coming up with not-so-clever algorithms such as <mysecretpassword>+websitename+<year> or other poorly designed passwords. With the number of password breaches increasing yearly, the chance of your password being compromised approaches 100%.

Password Cracking

Not only can these passwords be found via breaches, but oftentimes machines can perform thousands to millions of guesses per second and the capabilities are only improving.

Aside from using a strong random password and using a password manager, 2FA, or multi-factor authentication brings in a new dimension: something you have or something you are. One type of MFA used is with authentication apps such as Google Authenticator. A secret key is stored on your device which will allow it to generate time-bound codes that can be entered into a website or app after entering your username and password. This forces hackers to need not just your username and password, but also your multi-factor code, which is not as easy to obtain and which also expires in a relatively short period of time.

Is Multi-Factor Authentication Perfect?

Simple answer, no. There are issues with multi-factor authentication using SMS. Another attack involves creating a man-in-the-middle attack to steal the multi-factor codes by tricking users to submit to a fake site.

Should I use MFA with these weaknesses?

Yes. Even though there are inherent weaknesses, this does improve the security posture of your accounts and makes it much more difficult for attackers to get into your accounts with stolen or discovered passwords. Don’t expect this to be perfect security, and follow best practices:

  1. Use unique randomly-generated passwords with the maximum character-set available to the app/site you use (upper/lower-case, numbers, and symbols)
  2. Use a password manager with MFA enabled to protect your master password for the password manager
    1. It’s very important to select a very strong password for this account, as a breach here means you lose all your passwords
  3. Enable MFA wherever possible
  4. Strongly secure your email account
    1. As your email account is often the central repository for account information, it is imperative to keep this secure. Password resets, unusual logins, and other activity will appear here
  5. Don’t share accounts
    1. We’re all guilty of breaking this and there will be exceptions, but you are only as secure as your weakest chain in security. You can’t control the security posture of your friends/family