Demystifying Cyber: MFA

In this video series, we’re here to peel back the curtain and show how the “tricks” in cyber are done so we can all have a better understanding.

MFA is the abbreviation for multi-factor authentication. You may also have heard of its close cousin, 2FA. That would be two-factor authentication.

Tom Pioreck, CyberMaxx’s CISO, will be diving into MFAs. While MFAs can be annoying, they are also critical at reducing your risk of being victimized through one of your accounts. It’s why we feel that this was an important first episode for our Demystifying Cyber series.

For your convenience, we’ve included a transcript of the 25-minute episode below. Feel free to watch the video on YouTube.

Transcript

The famed author, Arthur C. Clarke, had three laws when it came to science fiction; the third law is, any sufficiently advanced technology is indistinguishable from magic. We’re here to peel back the curtain and show how the “tricks” in cyber are done so we can all have a better understanding. This is “Demystifying Cyber.”

Hello, I’m Thomas Pioreck, cybersecurity professional with close to 20 years in the industry and self-professed most paranoid person in the room. On this episode of “Demystifying Cyber,” let’s lift the veil on MFA, multifactor authentication.

What would happen to you if someone was able to access your bank account and transfer all of your money out? How would you feel if your friends and family were scammed out of significant money because of an email “you” sent them? Would you feel violated if someone used your email address, after they took control of it, to conduct widespread fraud and scam dozens of strangers, if not more, out of their life savings? What if all of your family and friends became targets just because you had them in your address book? Do you want strangers accessing and manipulating your emails, savings account, retirement accounts, financial investments, medical records, utility bills and accounts, or your social media? Of course you don’t.

But all of those are possible scenarios that we decrease the chances of happening significantly when we implement MFA, multifactor authentication, on our accounts. Sure, MFA can be annoying, it can feel like it’s interrupting your flow, but those are the benefits it provides you. It greatly reduces the likelihood that any of those horrible situations could happen to you. And really, it’s a grand singular benefit. It helps you keep all of those accounts, with all of that personal information, within your control only. It greatly reduces the odds of you and your loved ones from being victimized through one of your accounts or “in your name.” Do you want it to be your account that leads to a massive security incident at your job that could potentially lead to the company having to close? Or lay off a lot of your friends and coworkers? Not because it’s your fault. Just because MFA wasn’t enforced for the account.​

Let’s acknowledge the ugly truth about people and MFA. We don’t like it. We find it annoying, a tedious extra task that just prolongs this simple thing I’m trying to get done so I can move on to the next thing. All I want to do is check my email so I can see when the fantasy football draft is, what’s the big deal? It’s just a quick login to my bank to confirm I have the funds for that new LEGO set that was finally released. All I want to do is log in to social media so I can take a picture of this sandwich, say it’s basic, give it zero stars, and throw on a bunch of trending hashtags because I’m an influencer in training. What’s so critical about any of that? Fair enough. But if you’re looking to be an influencer, if your social media accounts have your personal thoughts and reputation, are you willing to lose control and access to them? ​

Then there’s the actual logistics of using MFA. Sat down at my computer but I left my phone charging in the other room. Now I have to get up and go get the phone, just to confirm I’m me by clicking an app or entering some dopey code? I’d love to login right now but I was in a rush getting everyone out the door this morning before I came to the bank to process this loan application and forgot my phone. Or you misplaced the security token you use for MFA. Or you took that tray of muffins out of the oven when you were distracted and burned your fingertips so badly, now your fingerprint is no longer valid. Okay, that may be a bit of an extreme example. Moral of the story is always use oven mitts. ​

I get it, I do. Sometimes I have those same thoughts and feelings. I just need to do this quick little thing and this extra MFA step is going to take almost as long as the thing I’m logging in to do. So I have that feeling. But I know. I know why it’s important.​

It’s not necessarily there to only prevent a malicious intent. It’s there to help guard against a negative outcome. So I appreciate that little bit of delay.​

All right, so all that being said, what exactly is MFA? MFA is the abbreviation for multifactor authentication. You may also have heard of its close cousin, 2FA. That would be two-factor authentication. What’s the difference? Not much really. 2FA is just setting the number of factors, two. That’s it. Multifactor means it’s at least two, could be more, depending on the system. Top-secret defense systems may have more than two.  You need to swipe your badge, enter a PIN, and then submit to a palm or retina scan. I’m not advocating that we do that for all our accounts, just illustrating that it is possible to have more than two. ​

In security, we classify potential authentication factors into three basic categories. ​ Something you know. ​Something you have. ​ And Something you are. ​

Multifactor means that you are providing authentication of your identity using at least two of those categories. You don’t want to double up on just one of them, you need to include at least two of the categories. Okay, that’s great, but what do they mean? Glad you asked.​

Something you know is a PIN or password. It’s in your head, something you know. Now some of you may be using password managers or vaults, and that’s great, but those passwords still count as something you “know.” Does that make the most sense? Maybe not, but them’s the rules. Another authentication method we’re all familiar with are the security questions. Some platforms don’t provide for the something you have or something you are categories, they just pile on the something you know. Account recovery questions tend to fall into this category. You know the ones, when you’re signing up and creating that account, you’re asked to select your recovery questions. We’re all familiar with them. What’s the name of the street you grew up on? What’s your mother’s maiden’s name? What was the first car you owned? What is the airspeed velocity of an unladen swallow? You know, generic questions that only you should theoretically know the answer to.

Well, here’s one of the problems with those questions. It doesn’t take someone long to figure them out. Especially malicious actors. There’s a whole field called open-source intelligence, OSINT for short (what’s with security people and the abbreviations?) It can be a whole episode on its own, but basically it’s learning facts and information about people from publicly available sources. Say, like, your social media account, which you didn’t set to private. So when you talk about growing up on Elm Street and remember Freddy, the nice old man who lived up the block. When your mom wishes you a happy birthday and her account clearly denotes her maiden name. Or that remembrance post about Santa’s Little Helper, that first great dog you had. It takes a skilled OSINT practioner less than a day to gather up all of the information that we’re usually asked to provide as additional “security” questions. ​

Now here’s the fun part. You know those questions those accounts ask you, the ones we’re talking about that ask you to provide answers to personal questions so that you can prove you’re you? Lie. Make up your answers. Remember, these systems don’t know what the right answer is, they think they’re doing you a favor by providing simple to remember security questions. Just make stuff up. ​

A password manager is great for this because it will randomly generate passphrases or passwords . it’ll even allow you to save the questions and generated responses. Yes, there’s an argument that you’re putting all of your eggs in one basket, but we’re balancing security with usability. Then you just keep a list for each account for the question and answers. If you were to go by security questions across my online accounts, you would discover that my mother has had close to 20 different maiden names and the majority of those aren’t even words. Which makes it a bit more entertaining when the customer service rep asks you to confirm your mother’s maiden name and you say, sure, it’s “E@3rtwX*9$kKt.” You could also just use random words you’ve come across for the answers too. So when they ask for your mother’s maiden name, you get to respond, “puppy monkey baby.”​

Where was I? Right, something you know. So that covers PINs and passwords. Not really enough on their own. Especially passwords because of how many breaches have occurred over the years. You basically have acccept that most of your passwords have already been compromised and it’s just a matter of time before some threat actor comes along and tries them against every kind of web account there is. They could try to run what we call a spray-and-pray attack. Basically, they just throw every username and password combination they have at a system and see which ones the systems accepts. Now, if you have MFA, that spray-and-pray attack alone won’t get them that access. They now need to go after your MFA. So we’ve made it a little more annoying to them. ​

Next up, something you have. We’re not talking about a sunny disposition, a knack for Sudoku or brown hair or freckles. No, we’re talking about something physical, something you can hold in your hand. Your phone fills in a lot here. You could have a security token, like this. This is a Yubikey. It plugs into the USB port on your device and when it’s set to be your MFA device, when you get prompted, you just touch this gold circle here. Some, like this one, also have NFC tech, that’s near-field communication. It’s the technology that allows you to tap your phone or credit card to initiate a payment. You can use the NFC tokens on a modern iPhone and many Android phones because it’s the same tech that lets you use Apple, Google, Samsung, whatever Pay. It could be a card. Some orgs will have their identify badges double as security card. You swipe or tap your card for entry. For some locations, you have to swipe/tap your card and then enter a PIN.

That’s multifactor in action. Smart for an office processing confidential information, not so great when it’s on the bathroom door.

But the biggest player in the something you have space, and we already talked about it briefly, your phone. Nowadays, we always have our phones on us. Authenticator apps are apps that you install on your phone, Google, Microsoft, and Duo are the big players here, and access there for a verification code. Some allow you to opt for a simple push notification, where all you do is click the button when prompted after entering your username and password. ​

And while that push notification is convenient, security folks have started to move away from it. See, once we come up with an additional way of protecting information, threat actors set about finding a way to get around that protection. ​

And they figured one out for those push notifications, it’s called MFA Fatigue, also known as MFA Bombing or MFA Spamming (again, if it’s not the plethora of abbreviations, us security folks can’t help ourselves when it comes to giving the same thing multiple names.) Let’s remember that MFA is helping protect our accounts by adding a layer of protection, protection for when our username and password is compromised. ​

Once an attacker has the username and password, they just bombard the system with login attempts that generate the push notification to your device. So an unexpected push notification could be a good indicator that your credentials for that account are compromised and you should login and change them for that account, plus any other account where you’re using the same password, which we all know you aren’t because you shouldn’t be, but just in case. What they do is just bombard with prompts, over and over again, until they wear you down and you finally click Accept just to make the notifications stop. So security people prefer the code. ​

You’re probably familiar entering a code from an app, a lot of the companies we work for have already implemented it. You set up the account in your authenticator app, you login and are prompted to enter your six-digit code. You open the app, find the account and just enter the six-digit code that’s in the app into the prompt and you’re in. Did you ever notice that app has a countdown? Those codes aren’t static, if you haven’t noticed. See, when you first set it up, there’s a whole bunch of math that gets set up and triggered to generate a seemingly random code on your phone but the same math is set up for your account on the system, so the same algorithm runs every 30-60 seconds so that your phone and the account generate the same-secret code. That’s how it knows they match. Kind of like those annoying couples that always finish each other’s sentences in unison. ​

Then there’s SMS, which is the technical name for text messaging. You provide the system with your cell number when you’re setting up the account. Then, when you login and enter your username and password, the system says they’ve sent you a message with your code and provide the field to enter the code they sent. Within a minute, your phone notifies you that you have received a text, and that text tells you that here is your code. You type in the code, usually six numbers, something more, rarely less, hit Submit or Enter, and the login completes. The close cousin is the email notification. When you set up the account, you’re asked if you want to use text or email or either. Then at login, it asks you how you want to have your code sent, text or email. Selecting email works pretty much the same way the text, sorry, SMS, method does, except you get an email with the code, instead of the text. ​

Now here’s where we get into an issue with text and email. First, email. The presumption that the system here is making that you still control the email account being used. But what if you’ve lost that access? Let’s say your email account is already compromised and under control of a threat actor. Well, they’re in charge of the verification system you’re sending the code to. So the benefits of having MFA set up go right out the window. Oh, sure, we know you have MFA set up on your email accounts, didn’t forget any, and haven’t fallen for an MFA compromise on your email account. And here’s something else, this is supposed to be something you have, as in, it’s in your physical possession. Would you say that your email account is in your physical possession? Yes, granted, you’re getting it on your phone or computer, and that is in your physical possession, but is an email account really in your possession? I say no, it isn’t, so let’s not use in such a manner intended for possession. ​

There are a lot of security people out there that pull their hair out when they hear someone’s using SMS as their multifactor. Or if a vendor offers SMS as the only choice when setting up an account. Like, well, why even bother having it in the first place? But we don’t really do a good job of explaining why we feel text is weak, really a notch above email, when it comes to setting up a multifactor option. ​

So here it is. There are a number of ways your cell number, not even just the phone, but your cell number can fall under the control and access of someone else. Let’s start with the simple- you lose your phone or I steal your phone. It takes minimal training to look at the finger smudges on the screen of a phone and trace the Cheetos outline to figure out what your PIN or pattern code is. Oh, you use your face to verify? Sure it’s simple and it sounds very secure but it’s not foolproof and not too hard to crack. In fact, the amount of techniques threat actors have devised to unlock your phone with your face, with your sometimes willing help, could be its own mini-episode. ​

But the big one that security folks always get into is SIM-swapping (hey look, yet another abbreviation). This is accomplished by a threat actor getting a different physical phone with its own SIM card, then calling your wireless provider and convincing the customer rep that the threat actor is you and having your cell number moved from your device to theirs, which means they now have a device that gets all your calls and texts. So the MFA code goes to their device. Now I know a lot of you enjoy your police procedurals and
heist movies, and yes, it is possible to clone your phone to achieve the same ends. The endgame is the same, you are no longer in sole possession of devices receiving your calls, texts, and most importantly for our purposes now, verification codes. ​

Now, I’m a Gen X kid who grew up on punk rock so it’s in my nature to sort of buck the general notions. SIM-swapping is real and it is a threat but it’s also generally only used in highly targeted attacks against an already known high-value target. And while it is important that we are aware of the limitations for SMS as a solution for our MFA and opt to use the better methods when they exist as an option for us, it’s also important that we acknowledge that something is better than nothing. If the only lock you have on the front door of your house is the latch in the door knob itself and I told you that it’s the weakest method, would you decide you were better off to not have any lock at all? Of course you wouldn’t.​

The third category is “something you are.” We’re not talking about being a Yankees fan or a Swiftie here. This something you are must be what’s called, “immutable.” That means it’s something that does not or cannot change over time. This is the category for biometrics; fingerprints, palm scans, retina scans, all of those. The logic is that only you have your fingerprints, retina scan, or other biometric markers. And while true, we must also acknowledge that there have been plenty of instances where someone has figured out how to beat a biometric scanner. Yes, Hollywood has shown us many ways, from the ingenious technical to the somewhat gory physical, but the actual methods are even broader and less messy. Then there’s the notion that these items don’t change. ​

I met someone that worked in security and couldn’t use their fingerprints for biometrics. Well, really, they couldn’t use their fingerprints anymore. They’d had a tragedy at their home where a horrible fire had broken out, and in the course of saving some of their possessions, they had suffered significant burns on their hands and fingers. Burns significant enough that their fingerprints were lost. So not only did that mean they could no longer use their fingerprint to establish an authentication factor, it also meant that any account where their fingerprint had been that factor, they could no longer use it to login. Also, despite what CSI and Dick Wolf’s universe may have led us to believe, our fingerprints aren’t as unique as many of us think. ​

Then you have one of my favorite stories involving a retina scan. A senior military officer was thrilled to learn that they were pregnant but since it was still the earliest stages of the pregnancy and because of their work, they were waiting before they shared that fact with a larger circle that would include friends and colleagues. One day, they arrive at the military installation where they worked, which had heightened security for entrance that included a retinal scan. A scan they had used many times before to gain entry. Steps up, scans
their eye, negative. Tries it again. Buzzzzzz. And again, red light, no entry. Annoyed, and somewhat frustrated, they contact the point person for the system to report the issue. The technician responds, checks the system, checks the pattern on file and the pattern in their eye, and makes a simple pronouncement. “Oh, it’s because you’re pregnant. I’ll just make an adjustment for your new pattern.” ​

See, there are changes that occur to the retinal pattern that are a natural part of pregnancy. It usually reverts to the prior pattern after pregnancy. It’s normal, healthy, and not indicative of any concern. But what it does do, is cause an issue with verifying your identity against the retina pattern on file. So because of one technician’s awareness of retina patterns and what can cause a false negative, this officer’s personal secret was no longer a secret. ​

There’s also the story of a journalist who was able to take a high-resolution photo with their cell phone’s camera of an EU leader during a press conference. The image of the photo was good enough for them to extract a retina pattern. One 3D-printed contact lens later and they were able to beat the retinal scanner. So again, while great and mostly immutable not perfect. ​

And that’s important to remember. As secure as any of these methods are, none of them are perfect, nor foolproof. It’s a matter of which one works best for you and fits your security threat model.

In fact, multifactor authentication can be seen in some of our favorite Hollywood films, Crimson Tide, War Games, Hunt for Red October, each address MFA as part of their larger story. Who can forget the tense scene between the late Gene Hackman and Denzel Washington. The soldier at the beginning of War Games that turns his key and then proceeds to yell at the late John Maloney to turn his key, even going so far as to pull his weapon and train it on John Maloney. Or Tim Curry’s reaction in Hunt for Red October, when Sean Connery, the great Russian sub commander with a Scottish accent (huh?), announces for the record that he has taken the deceased political officer’s miss-ile key, and is, “keeping it for myself.” And Curry’s doctor reminds him that the reason for two missile keys is so that no “one man may arm the miss-iles.” It’s all about multifactor authentication. Ensuring that two separate actions are needed for the process to continue. Now, am I saying that logging into my email is as critical as ensuring a proper nuclear launch, no, of course not. But would you watch two hours that hinges on me getting a code on my phone? I doubt it.​

Ok, so now we’re clear on what it is, why it’s important, what constitutes the different factors, and that it’s not about hindering us from making a mistake, though it can be used as a quality check there, but there’s one big question left to answer, How? This is great, guy, but how do I set it up for my email, my financial information, my business and its operations? Good question. Let’s go over some simple ways we can set up MFA.

Setting it up for personal accounts, is relatively simple. My recommendation? First pick an authenticator app. Generally, it doesn’t matter which one, they all function in a same manner, and as the user, there’s no cost calculus. The cost to set up and implement an authenticator app falls to the platform provider, the vendor that’s supplying the access to the account you’re using. Dirty little secret? You’re going to wind up with more than one installed on your phone and that’s fine. Yeah, it can get annoying remembering which accounts had to use X, when your default is to use Y, but you’ll be surprised how quickly a lot of that sticks in your brain and becomes second nature. Now I know I said SMS is fine for most people but we want to take that little extra step, especially since it’s pretty simple. ​

The next time you’re in your email, go to its Settings section. There you’ll see Security as one of the menus and within there is usually where you can opt in to MFA or 2FA. You should see options to “Enable Multifactor Authentication.” Then it’s just a matter of following the wizard they present you with. For an authenticator app, they’ll usually present you with a QR code to scan from within the app. That’ll set the account up in your app and the rolling code will be present. Then you simply enter in the corresponding code to confirm it’s set up and working, and voila, you’ve implemented MFA. ​

What if the only option the account offers you, say your bank, is text or email? Change banks immediately. I’m kidding. Set it up with the SMS option over the email one. And feel free to send them an email asking when they expect to offer OTP (that’s the whole authenticator app thing, look more abbreviations) or security keys or tokens?

If you’re a company and want to implement it for the business , good news, you likely already have a lot of options available to you and they’re likely included in your current SaaS (that’s Software as a Service) and other cloud solutions. It’s simply a matter of working with your vendor to determine how to turn it on and roll it out across your organization. Word of advice, start small and in groups wherever possible. And communicate with your people that you’re planning to roll this out, when to expect it, and which applications will occur when. Then send reminders. Resistance is natural, especially when we feel like friction is being added to our days, so be clear about it. Don’t turn it on across every system all at once. Plan it through with your business leaders, security teams, consultants, and your vendor.​

If you’re feeling really ambitious at home or the office, opt to use a security token, the hardware solution. Like this one here. They’re great, simple to use, harder to bypass, but there is a cost consideration since you have to buy them and replace them if lost or stolen. ​

Once you’ve set up your authenticator app, make sure you’re backing it up. It can usually be included as an app that’s being backed up as part of your phone’s operating system standard backups. Last thing you want to do is set this all up, get a new phone, set that up, and then realize all of your verification codes were left behind. And if all of this feels daunting to you personally, start small. What accounts have the most important information to you? Start with those. For most of us that’s email and financial systems. Just have a plan that the next time you login to an account, you’re going to take the less than five minutes needed to turn on and set up multifactor for that account.

And that’s just about it. We’ve covered what MFA is, acknowledged the pain points that some people perceive about it, how it improves the protection of our accounts, and how to get started. There’s plenty more details and intricacies we can get into but this should be a pretty good introductory primer on the basics. Remember, security is about balancing friction. It’s not about making it difficult for ourselves to access what we need when we want, but making it harder for an unauthorized party, a threat actor, a bad guy, to do so. It’d be great to come home and just open the door and walk into the house. But I’m willing to have to wait a little longer to get the key out, unlock the door, and turn off the alarm, even if I neglected to hit the restroom before heading home and I’m in “a bit of a rush at the door” so to speak. Next time you have to enter that code, smile. It’s a reminder that the little extra protections you’ve put in place are working and that you’re accounts are more secure than they used to be with just a password. ​

If you have questions that you hope we’ll answer in future episodes, just drop us a line. Arthur C. Clarke said that any sufficiently advanced technology is indistinguishable from magic. Learning how the trick is done doesn’t diminish it but it does let you appreciate it even more. Computers are just processing an almost endless series of 1’s and 0’s. Once you remember that, the cloud tends to disappear.

Until next time.