Dark Mode Light Mode

Two-Factor Authentication Can Fail You, but You Can Make It More Secure

Two-Factor Authentication Can Fail You, but You Can Make It More Secure Two-Factor Authentication Can Fail You, but You Can Make It More Secure
Two Factor Authentication Can Fail You, but You Can Make It



Two-factor authentication (2FA) is a great way to boost the of your accounts. But even with that added layer of security, malicious actors are finding ways to break in. So-called adversary-in-the-middle attacks take advantage of weaker authentication methods to access accounts. Your two-factor and multi-factor authentication (MFA) be weak, but, luckily, there's something you can do about it.

How multi-factor authentication works

MFA uses two or more checkpoints to confirm a user's identity for accessing an account or system. This is more secure than relying on just a username and password combination, especially given how easy many passwords are to crack, and how many have found their way onto the dark web. are often basic and repeated, so once a password has been compromised, it can be used to get into many accounts. That's why it's so important to use strong and unique passwords for each one of your accounts.

With MFA, a password isn't enough. From here, the user has to validate their login using at least one additional piece of evidence, ideally that only they have access to. This can be a knowledge factor (a PIN), a possession factor (a code from an authenticator app), or an identity factor (a fingerprint).

Note that while 2FA and MFA are often used interchangeably, they aren't necessarily the same thing. 2FA uses two factors to verify a user's login, such as a password plus a security question or SMS code. With 2FA, both factors can something the user knows, like their password and a PIN.

MFA requires at least two factors, and they must be independent: a combination of a knowledge factor like a password, plus a biometric ID or a secure authenticator like a security key or one- password. Generally, the more authentication factors needed, the greater the account security. But if all factors can be found on the same device, security is at risk if that device is hacked, lost, or stolen.

MFA can still be compromised

While having MFA enabled on your accounts can make you feel secure, some MFA methods can be compromised almost as easily as your usernames and passwords.

As Ars Technica reports, certain knowledge and possession factors are themselves susceptible to phishing. Attacks known as adversary-in-the-middle target authentication codes, such as those sent via SMS and email, as well as time-based one-time passwords from authenticator , allowing hackers to access your accounts through factors you've unknowingly handed them.


What do you think so far?

The attack works as follows: Bad actors send you a message saying that one of your accounts—, for example—has been compromised, with a link to log in and lock it down. The link looks real, as does the page you land on, but it is actually a phishing link connected to a proxy server. The server forwards the credentials you enter to the real Google site, which triggers a legitimate MFA request (and if you've set up MFA on your account, there's no reason to believe this is suspicious). But when you enter the authentication code on the phishing site or approve the push notification, you've inadvertently given the hacker access to your account.

Adversary-in-the-middle is even easier to carry out thanks to phishing-as-a- toolkits available in online forums.

maximize MFA security

To get the most out of MFA, consider switching from factors like SMS codes and push notifications to an authentication method that is more resistant to phishing. The best option is MFA based on WebAuthn credentials (biometrics or passkeys) that are stored on your device hardware or a physical security key like Yubikey. Authentication works only on the real URL and on or in proximity to the device, so adversary-in-the-middle attacks are nearly impossible.

In addition to switching up your MFA method, you should also be wary of the usual phishing red flags. Like many phishing schemes, MFA attacks prey on the user's emotions or about their account being compromised and the sense of urgency to resolve the problem. Never click links in messages from unknown senders, and don't react to supposed security issues without checking their legitimacy first.





Source link

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Add a comment Add a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
gettyimages-941919472

Another Outage Strikes Newark Airport. How to Avoid Getting Stuck if Your Flight Is Delayed or Cancelled

Next Post
Samsung Odyssey Ark 2nd Gen

Samsung's best gaming monitor is $900 off

Discover more from rjema

Subscribe now to keep reading and get access to the full archive.

Continue reading