Authentication with two factors (2FA) is a great way to strengthen the security of your accounts. But even with this additional safety layer, malicious actors find ways to penetrate. Your two-factor and multi-factor authentication (MFA) can be weak, but fortunately there is something you can do about it.
How Multi-Factor Authentication works
MFA uses two or more control points to confirm the identity of a user to access an account or system. This is more secure than counting on a single combination of user name and password, in particular given the ease with which many passwords are to be broken, and how many have found their way on the Dark web. Passwords are often basic and repeated, so once a password has been compromised, it can be used to access many accounts. This is why it is so important to use solid and unique passwords for each of your accounts.
With MFA, a password is not enough. From there, the user must validate his connection using at least one additional evidence, ideally to which he only has access. It may be a knowledge factor (a pin), a possession factor (an authenticator code) or an identity factor (a digital imprint).
Note that even if 2FA and MFA are often used interchangeably, they are not necessarily the same thing. 2FA uses two factors to check the connection of a user, such as a password as well as a security question or an SMS code. With 2FA, the two factors can know something that the user knows, like their password and a spindle.
MFA needs at least two factors, and they must Be independent: a combination of a knowledge factor such as a password, more a biometric identifier or a secure authenticator such as a safety key or a punctual password. Generally, the greater the authentication factors, the greater the security of the account. But if all the factors can be found on the same device, security is at risk if this device is hacked, lost or stolen.
The MFA can always be compromised
Although the MFA is activated on your accounts can make you feel safe, certain MFA methods can be compromised almost as easily as your user names and passwords.
As Ars Technica reports, certain factors of knowledge and possession are themselves likely to be phishing. Attacks known as the Target Authentication Authentication Codes in the community, such as those sent via SMS and E-mail, as well as time-based passwords from authenticate applications, allowing hackers to access your accounts via factors that you have given them without knowing it.
What do you think so far?
The attack works as follows: the bad players send you a message saying that one of your accounts – Google, for example – has been compromised, with a link to connect and lock it. The link seems real, just like the page on which you land, but it is actually a phishing link connected to a proxy server. The server transfers the identification information you enter on the real Google site, which triggers a legitimate MFA request (and if you have configured MFA on your account, there is no reason to believe that it is suspect). But when you enter the authentication code on the phishing site or approve the push notification, you inadvertently have access to the pirate to your account.
The opponent in the environment is even easier to achieve thanks to phishing tool kits as a service available in online forums.
How to maximize MFA security
To make the most of the MFA, consider going from factors such as SMS codes and push notifications to a more phishing authentication method. The best option is MFA based on webauthn identification information (biometrics or passkeys) which are stored on your device or a physical safety key like Yubikey. Authentication only works on the actual URL and on or near the device, so that opposing attacks in the environment are almost impossible.
In addition to changing your MFA method, you should also be wary of the usual phishing red flags. Like many phishing patterns, the MFA attacks the prey of the emotions or the anxiety of the user about their compromise account and the feeling of emergency to solve the problem. Never click on links in the messages of unknown shippers and do not react to the supposed security problems without first verifying their legitimacy.
