Should MFA mechanisms be mandatory?

Yes, but it is better that they are not based on SMS. Confidence in verifying a person’s identity through the use of passwords has been declining over time. As the weakness of the usual passwords became evident, there was a growing difficulty in remembering those credentials that were more complex and robust. Hence, multi-factor authentication (MFA) mechanisms have become a must-use procedure in many online environments.

The password alone is not enough

The security of users when they access their online accounts almost inevitably goes through the use of passwords. Much has been said about how complex these secret words should be to reduce the probability of being discovered in the face of a brute force attack. The inclusion of uppercase and lowercase letters, the use of special characters or even the length of not less than eight characters are common recommendations. In fact, of all the recommendations mentioned, it is the length that provides the most security: the more characters a password contains, the more difficult it will be to discover, although it will also be more difficult to remember it.

In this context, the usefulness of password managers becomes clear, in charge of acting as safes in which to store the access credentials (this time, sufficiently complex) of the environments and applications in which the user is registered. But, even so, they continue to be insufficient; after all, “a password protects other passwords”.

Strong authentication mechanisms: The use of strong authentication mechanisms inescapably rises up as a complementary and indispensable element for verifying a user’s identity. The adaptation of the financial sector to the PCI DSS 4.0 standard has served as a spearhead for the use of these mechanisms that make identity verification more robust, even more so when it comes to financial transactions. Actors as relevant as Google, Saleforce or even Github have begun to state that, sooner rather than later, they will protect their systems with MFA on a mandatory basis. At the moment, most systems already make use of services called OTP -One Time Password- that allow adding a second level of authentication (2FA) to the traditional pairs of username and password.

SMS as 2FA

One of these double authentication mechanisms consists of the use of SMS, that is, a code that is received on the mobile phone and that the user must enter in the system to access their online account. However, despite us, and although it seems robust, it is certainly an insecure procedure. So much so that both the North American NIST and the European ENISA do not recommend its use. SIM-swapping attacks (illicitly requesting a duplicate of the SIM of a mobile phone), hacking of the SS7 protocol, or even social engineering techniques based on the theft of access codes received in the terminal, are more common than we think.

Multi-factor authentication (MFA) mechanisms have become a must-use procedure in many online environments

Despite this, SMS are still widely used, from public environments, to e-commerce applications or even for access to bank accounts. The reasons are easy to explain: passwords are usually a burden for application managers, so the implementation of a second level, even if it is based on SMS, is a “sufficiently” effective solution; On the other hand, most users usually have a mobile phone and are at least capable of receiving SMS; Last but not least, they do not require anything else from the user, who should not install any application or request the activation of any double authentication mechanism since by default, it will be activated and associated with their mobile phone, or better said, to your SIM card.

The mobile as a means of authentication

Mobile terminals also serve as physical authentication tokens. In these cases, a software application installed on the terminal acts as an authentication tool, providing single-use tokens. This is what is known as “PUSH authentication applications”. Examples of this type of applications are found in Google Authenticator, Microsoft Authenticator, Cisco Duo, etc.

However, these applications also have their limitations: they need Internet access on the terminal, they can be compromised by malware downloaded to mobile phones or even, as has happened recently, they can be subjected to social engineering attacks known as “MFA Prompt”. Bombing” in which the attacker bombards his victim’s terminal requesting the approval of an authentication request that allows him to take control of his account.

FIDO, the path to authentication without passwords A few days ago, Apple, Google and Microsoft decided to give their own initiatives a new direction and try to make them converge within what is known as the FIDO Alliance. The three came together to promote the adoption of the FIDO2 standard whose objective is the use of a mechanism that does not require passwords for authentication in own and third-party services.

FIDO authentication is based on private key systems or biometric identification systems so that you can, for example, swipe a fingerprint or enter a PIN, and don’t have to remember a complex password. To do this, it uses public key cryptography (through WebAuthn and CTAP protocols) that allows users to identify themselves with biometric data, PINs or external FIDO authenticators, on a FIDO2 server belonging to a website or application. The credentials are unique for each environment and never leave the terminal in which they are installed. In this way they are not vulnerable to use in other environments.

And if it’s not FIDO, what?

However, FIDO still has some way to go. The FIDO2 standard is slowly but steadily gaining consistency. Perhaps in the next few years we may see the first signs of its wider adoption.

Meanwhile, we should think that the use of MFA systems cannot wait and that, either through physical tokens, through mobile phone applications or biometric systems, we should all use double authentication mechanisms that reduce our risks against potential theft of credentials or accounts commonly used in our daily lives.

One final note: note that we did not mention SMS-based systems. As bad as it weighs us, and following international recommendations, its use as an authentication mechanism should tend to disappear.

By Juanjo Galán, Business Strategy at All4Sec