There Are Major Multifactor Authentication Benefits, but It’s No Silver Bullet
Posted on April 20, 2023 by Jason Franks
It’s scary out there. Cyberattackers get better at what they do, and come up with new ways of creating havoc, seemingly by the hour. When I think about this, my mind immediately draws a parallel between cybersecurity professionals and automobile mechanics. There’s a lot that can go wrong with an automobile, and it’s in the best interest of mechanics to have a very robust toolbox. Prevention also is vitally important, e.g., performing oil changes and transmission flushes at the prescribed intervals. It works much the same way when trying to protect networks, systems, and devices from cyberattacks.
Multifactor Authentication as a Vital Tool in Cybersecurity Toolbox
One of the most important tools in the cybersecurity toolbox is multifactor authentication (MFA). In fact, its importance cannot be overstated. Generally, multifactor authentication starts with a password or passphrase — the more complex, the better. Passwords and passphrases should be at least 12 characters long and contain a combination of uppercase and lowercase letters, symbols, and numerals. Of course, the more complex the password, the more difficult it becomes to remember it, which is why passphrases are becoming more popular.
The second phase involves one of these elements:
- Something you are — an example would be biometrics, e.g., a retinal or fingerprint scan
- Something you know — an example would be a challenge question, e.g., the hospital where you were born or the make and model of your first car
- Something you have — an example would be a token that changes an authentication code every few seconds
The Limitations of Multifactor Authentication in Cybersecurity
However, while vital, multifactor authentication isn’t a silver bullet. Passwords often become comprised for all sorts of reasons. (This is why using the same password across multiple networks, systems, and devices is a bad idea.) Sometimes a cyberattacker will execute a “man-in-the-middle” tactic whereby they spoof a landing page that looks exactly like the real thing. When a user attempts to log onto the website, the cyberattacker captures the username, password, and even the challenge question. Human nature being what it is, the cyberattacker knows that it is very likely that the same authentication is being used for other networks, systems, and devices that the user is accessing.
Understanding the Sophisticated Cyberattack Method of SIM Swap Fraud
Another popular attack vector is “subscriber identity module (SIM) swap fraud.” A cyberattacker will capture personal information about a victim, often through phishing exercises, including the victim’s mobile telephone number. Then they will contact the victim’s mobile service provider and convince them, using social-engineering tactics, to port the victim’s phone number to the cyberattacker’s SIM. Once this occurs, the cyberattacker will receive all texts and voice calls intended for the victim’s phone, which often provides codes for the bad actor to circumvent the second level of multifaction authentication.
As I wrote above, it’s scary out there and getting scarier by the day, even by the hour. That’s why employing a multilayered approach to cybersecurity is so important. No individual strategy or tactic is a panacea, but when several are combined, an organization’s cybersecurity posture improves dramatically. Think of it this way: you can put a chain on your front door. Better would be a doorknob lock. Better still would be a deadbolt lock. The best would be installing all three, along with a video doorbell. The idea of this multilayered approach is to convince a would-be burglar to skip your house. The same thinking applies to cyberattackers. Network monitoring, firewalls, penetration testing, stringent password policies, vulnerability scans, multifactor authentication, and more are needed to thwart today’s cyberattackers, who are highly intelligent, persistent, and motivated.
MCP has a robust cybersecurity practice, and we would welcome the opportunity to help you develop a realistic and effective cybersecurity strategy for your organization — please reach out.
Jason Franks is an MCP cybersecurity analyst. Email him at JasonFranks@MissionCriticalPartners.com.
If You Do Nothing Else, Implement Multifactor Authentication to Head Off Cyberattacks
Essential Tactics for Enhancing Cybersecurity in Today’s Justice Organizations
Security Training: A Key Element of a Strong Cyberrisk Prevention Program