… and enough power to make these marks
–Mona Lisa Vito, My Cousin Vinny1
MFA: Each Criterion Brings You Closer to the Truth
A Decatur, Illinois manufacturer that had been hit with ransomware in May, was in July sued by Travelers Insurance for having misrepresented the extent to which it was protected by MFA (multifactor authentication). Travelers said the manufacturer had violated the terms of its cyberinsurance policy. The parties came to an adjudicated agreement to nullify the policy; Travelers did not need to cover any of the ransomware losses.3
Also in July the Cyber Readiness Institute released a report on the poor adoption rate of MFA among small- to medium-sized businesses, finding fifty-four percent do not protect their data with MFA. In the same survey fifty-five percent were not even “very aware” of MFA and its security benefits.4
MFA is a way to check a claimed identity by requiring a second or more piece of evidence confirming that identity. A factor added to a computer authentication process is equivalent to an additional layer of protection; if one factor is breached, others remain to protect the system or data.
In the example of an ATM, an identity is declared when someone inserts a physical card into a machine which is then checked by the machine when it asks for a memorized PIN.
Some Types of MFA
As can be seen by the tire tread example, MFA is not a product you buy, but a way of reasoning. Following are among the most common factors5 used to protect computer networks and data:
- Remembered passwords and PINs
- Security questions (these are commonly referred to as knowledge-based authentication [KBA])
- Dynamic security questions, like recalling a recent financial transaction
- Retina scans
- Facial recognition
- Cards, like with magnetic strips, chips or near-field communication encoding (the kind you tap to pay for things)
- USB/hardware devices, like U2F keys or Yubikeys
- Virtual “soft” temporary tokens usually used in conjunction with apps on mobile phones
- Software can be written to record users’ behaviors, like time-of-day, timezone and IP address. This record is then checked against activity to disallow unusual behaviors without verification by other means.
My MFA Can Deck Your MFA
There are no certainties in life or security. If a criminal has enough determination and skill to break in, they will find a way – so there have been hacks of second factors (including a case in September’s Up Times showing one form of MFA [hardware token] protecting and a weaker form failing). Some MFA forms give better protection. If you have a choice of MFA, choose physical or software tokens.
The strongest “soft” token idea is when a challenge application pushes a notification (usually to a phone’s app) and requires a response [like clicking an “OK” button] in the phone’s app. By contrast, the most common of these software token applications generates a password-type number on an app on a phone that you have to type into a web application; these numbers can be intercepted by malware (including key-logging malware).
The step beyond software tokens in security is to use hardware tokens, like a Yubikey or similar. These small devices contain your authentication tokens and are inserted into a computer port, like a house key in a door lock, to unlock the application with physical proof that you’re you.
Any MFA Is Better than None
“If there’s two-factor authentication for it, enable it,” advises Bryley President Garin Livingstone: any type of MFA is better than none. But like many things in life, there is the danger of a kind of MFA theater – appearing to be doing something securely when things are not really buttoned up: for instance, a second-factor code is emailed to an account that is just password-secured or texted to a password-protected VOIP phone number.
If you have yet to move ahead with MFA and do not want to chance your data to password compromise, choose among the stronger forms when feasible.
If you already use MFA, it’s important you understand the points of vulnerability – for the sake of your organization’s and clients’ security and to comply with your cyberinsurance policy.
If you’d like specific guidance about uncovering important vulnerabilities, being safe and compliant with the terms of your cyberinsurance, Bryley is available to help at 978.562.6077 or email ITExperts@Bryley.com.
1 Mona Lisa Vito (Marisa Tomei) giving an example of using multiple factors to get to a truthful identity. Her courtroom testimony: The ’64 Skylark had a solid rear axle, so when the left tire would go up on the curb the right tire would tilt out and ride along its edge. But that didn’t happen here; the tire mark stayed flat and even: this car had an independent rear suspension. Now in the sixties there were only two other cars made in America that had Positraction and independent rear suspension and enough power to make these marks. One was the Corvette, which could never be confused [by an eyewitness] with the Buick Skylark. The other had the same body length, height, width, weight, wheel base and wheel track as the ’64 Skylark – and that was the 1963 Pontiac Tempest.