In our discussions of securing our information, we have discussed that there are multiple ways to authenticate a user. There are actually three main ways to authenticate someone:
- Things in your possession, such as a badge or smartphone
- Things you know, such as a password or PIN
- Things you are (inherence), such as fingerprints, facial or voice recognition
- Where you are. Some forms of MFA use your location. If your IP address isn’t correct, the system will reject you.
- What you are doing. This is called Risk based authentication. The system looks at a host of attributes about the login attempt (time of day, IP address, device identification, etc.) and assigns a risk score. If the score is too high, the login attempt is denied unless it can be authenticated using one of the other methods above. A day shift employee logging in from Starbucks at 2am on a Sunday and attempting to access files he normally wouldn’t would trigger an MFA request from the system.
Multifactor authentication is simply a method of using more than one of the above methods to secure your stuff. In order to gain access to your information, a black hat would need to possess or have knowledge of more than one of them. A couple of examples:
At the hospital, to gain access to patient medical records, I need to know my password and swipe my identification badge and the RFID tag inside of it. A thief would have to get an authorized employee’s password and my ID badge in order to gain access to medical records. Even then, only the patients who are assigned to me (or my department) are visible to me, and even then only if I am on an IP that belongs to my hospital or a partner organization.
What many companies do: you need the password, and the company sends a text to your cell phone containing a 6 digit PIN that expires relatively quickly, say 2 minutes or so. This is to verify that the person logging in not only knows the password, but is in possession of the legitimate user’s cell phone.
There are weaknesses to all of the above methods. The employee’s badge RFID code be read or intercepted and spoofed, and since it doesn’t change unless a new badge is issued, is not as secure as we would like.
The problem is that SMS isn’t a secure way to perform MFA.
This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access. While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content. Unfortunately, SMS messages are easy to intercept. Even Microsoft is advising people to stop using SMS as a method of MFA.
Biometric MFA data has one large weakness- your retina, voice, and finger prints never change. If the hash of the image can be spoofed or copied, the black hat has your data forever. That isn’t secure.
The most secure MFA is a hardware key. There are many out there, and the way that they work is both simple and complex. Currently, the most secure method of hardware key MFA is carried out with a protocol called Universal 2nd Factor, or U2F. The method used here is something very familiar to old school Internet fans who remember the PGP encryption software: public-key cryptography.
In public-key cryptography, instead of using just one key, we use a pair of keys — one key is used to lock something away digitally and only the second key in the pair can unlock it. I can keep one key — my private key — and put the public key out there for you to use. Since only my private key can unlock anything locked up by the public one, once you lock it, no one else can use the key I left out there but the person in possession of the private key.
These keys are called a key pair and are mathematically linked. I can create as many public keys from a private key as I want, but you no one can recreate my private key from a public key. Genius, right? So how does this apply to MFA?
Key pairs can be created using software, but in the case of U2F, the private key is generated using a unique secret that is embedded during the manufacturing process and is hardwired into the circuitry of the hardware key, which is what makes it so secure.
So how it works is that you register for an account using the system that we are all familiar with- a user ID and password. Don’t forget to use a strong password. Then you register your hardware key. The server then sends a challenge consisting of a random number and an AppID to the user’s device. The hardware key then generates a nonce and hashes it together with the AppID and the secret key that is hidden in its electronic brain using HMAC-SHA256 to create a private key that is specific to that AppID. From this private key, a public key is derived, along with a checksum. This is returned to the server, who stores it for later. The next time you go to that website, the server will verify that the hardware key is the same one that it has dealt with before by sending you the public key, thus making sure that the server is valid and securing you from a man in the middle attack. Why? Because the domain is hashed together with the device secret password, so if you’re on a phishing website, the token will generate a different key, and the checksum will fail.
If the information was sent from a legitimate server, it should result in the same public key since the secret inside the device didn’t change. The device will then encrypt the challenge sent by the server with the private key and send it back to the server. Now both parties have verified that they are indeed talking to the people they think they are.
Since each nonce and checksum is unique to that login request, they change every time. This makes sure that your key cannot be spoofed. It’s like using a one time pad for MFA. All cryptographic operations happen inside the token. By the time the private key leaves the token, it already has been hashed using SHA-256, so even if the user doesn’t know that the client is compromised, it’s still safe to use the token.
Because of the nature of this system, it ensures that you are protected from:
- Spear phishing
- Credential stuffing
- Brute force and reverse brute force attacks
- Man-in-the-middle (MITM) attacks
No matter how you keep your passwords, they are vulnerable to being discovered or stolen. A hardware key that is properly setup will make the possession of the password irrelevant without possession of the key. If you lose the key, it is worthless without the password. The key also prevents you from logging into phishing sites, because it confirms for you that the site you are giving your credentials to is the legitimate one.
When you use a hardware key, always register two of them to each account, then lock one away in your safe. This insures that, should you lose the hardware key that you carry around, you aren’t permanently locked out of your accounts.
For right now, the most secure method of authentication is to use a unique user ID and password for each account you have. The password should consist of the four character types, random, and be at least 16 characters. Your passwords should change periodically. You should enable hardware key MFA for any sites and applications that support them, and use SMS MFA for any that do not. Although SMS MFA is flawed, it is better than not using MFA at all.
Internet crime is increasing, and the best defense is to harden your systems to the point where others are easier targets than you.