The approach of the New Year is the ideal time to start investigating Multifactor Authentication (MFA), a layered approach to electronic security that requires two or more credentials to verify identity.
SA’s Internet Service Providers’ Association (ISPA) says the one-time password (OTP) that underpins many MFA systems ensures there’s an extra security layer preventing unauthorised logins.
However, most modern phones and laptops now have built-in security keys and use biometrics to implement MFA. These options are more effective than OTP-based solutions alone. Few realise that when you use fingerprint or facial recognition to unlock your smartphone, you’re using two factor authentication. These biometric systems can also be integrated into any corporate website using two factor authentication based on the FIDO2 WebAuthN standard. (See also: FIDO Authentication – A Passwordless Vision.)
It is also possible to use a USB device with cryptographic keys, which can be attached to a key-ring and carried around like a regular key.
OTPs, however, remain a useful way to improve security using older devices, and should be the minimum security standard for sensitive websites and systems.
Four common ways of implementing MFA on older devices are:
– An OTP via SMS sent to the user’s mobile phone.
– A phone call from the software vendor requiring the user to press a key.
– A mobile authenticator app where use is made of a verification code.
– A mobile authenticator app where use is made of a push message to a mobile device and the user is required to select “accept” on their mobile device.
Whereas more modern devices can as easily use fingerprint or facial recognition in addition to the above methods.
OTPs via SMS or email are not the most secure MFA mechanisms available, but they remain the most commonly used two factor authentication (2FA) method in cybersecurity, and provide orders of magnitude more secure than just usernames and passwords.
It should be noted however, that SMS is an unencrypted protocol and therefore text message-based OTPs can be viewed in clear text making them susceptible to cyber attacks, as well as being used in SIM swap scams.
If SMS or email MFA are the only options available to you, enabling and using them is better than nothing. However, the Association believes consumers would be better advised to investigate biometrics and token-based MFA authentication as well as authenticator apps.
ISPA is a recognised South African industry representative body with 215 Internet Service Provider (ISP) members, and says the past few months have seen a major increase in phishing attacks aimed at citizens and the country’s government.
“With the rise of remote working, we all need to become more familiar with the different ways of securing our virtual worlds and, ultimately, select a comfortable security protocol,” says André van der Walt, ISPA’s Chairperson.
“No one would fail to lock the front door of their company. Similarly, pay attention to how your remote working and other virtual solutions are secured,” van der Walt added.
Although MFA is effective in stopping most phishing attacks, regular security awareness training for employees should be one of the top priority security controls for organisations. At the end of the day, MFA remains just one of the many aspects of security that businesses need to consider when securing their environments.
With the human factor being by far the weakest link in any organisation’s security systems, security teams must find new ways to engage and educate staff with a view to raising organisational awareness.
Please see www.ispa.org.za for more information and follow @ISPA_ZA on Twitter.