Here it is, what all the cool kids are talking about… even a passwordless future.
The things these security keys can do in the way of certificates and biometrics are evolving with increasing pace. They will very likely become a primary authentication method soon.
But that’s not now… I’ll start by giving the details on what Multi-Factor Authentication (MFA) is. In the past we have used a username and password to authenticate (For simplicity we can call this a login.) ourselves into our accounts. As phishing has become more advanced, the ability to automate has become easier and tools now exist that automate much of the procedure. Our reliance upon passwords has been frequently questioned over the last few years.
So then… MFA or xFA where x is number of factors. Hold up! What exactly is a factor?
- Something you know. (PIN number, Username and Password etc.)
- Something you have. (Bank card, Mobile phone, Security key etc.)
- Something you are. (Biometrics: Fingerprint, Eye, Bone, Gait etc.)
- Somewhere you are. (This is a little more complex, often behind other high confidence security measures.)
So, let’s use a common example. You enter your password for work or school, it asks you to either… press yes or confirm a number on the Microsoft authenticator app. What factors are here? Well, our password is something we know, our tapping yes on our phone is something we have, our mobile device.
Now my email provider (You can do a whois so this is public information.) Zoho, uses the same idea. However, I login with my password, from my KeePass database… Get a push notification on my phone and then must input my biometrics. If I wanted even more security, I could whitelist IP addresses, but I don’t have the infrastructure to set that up . This was set-up with a Yubikey but as the model I have doesn’t support biometrics this method is more secure for the time being. As mentioned before, I’m trying to get my hands on Feitan security keys. The K43 FIDO2 Biometric key, One Time Password (OTP) keyring and smart card + programming equipment. The keys may need different programming for the service that is going to use them… such as Azure Active Directory.
These Multi-Factor Authentication methods throw a spanner in the works for an adversary. But let’s talk about a common method that is not secure. Short Message Service or SMS, which is a text message. These messages are vulnerable to interception and spoofing. For example here’s a lab on it from the awesome guys over at Immersive Labs, check out some of the other cool labs over there too. But for those less technical here’s an explanation of what is being done.
So we are going to conclude our MFA talk by talking about our mobile phones, they are the most used computers in our lives… Yes, they are a computer too. Apple users as always enjoy more security than Android users but we’re talking about the SIM cards and not your devices. Thus, authenticator apps like Google Authenticator, Yubico Authenticator are a more secure choice. An attacker would need a certain level of access to your device to view those codes. Doesn’t mean they are secure… In fact, nothing is to ever be assumed as completely secure. One thing I see day to day is that people don’t recognise the importance of their phones. While they have antivirus and VPNs on their laptops. A neglect for their mobile devices is all too common. These devices by the nature of their use, hold far more personal information.
Take your mobile device seriously! All that information is very valuable no matter who you are… Take the same precautions you would take when using another device such as work laptop. Hopefully this help some viewers understand what exactly this MFA stuff is… and of course don’t forget to set-up your backup codes for accounts with MFA turned on.