Is One Method of Multi-Factor Authentication (MFA) Better Than Another?

Is One Method of Multi-Factor Authentication (MFA) Better Than Another?

Credential theft has been on the rise for the past few years, tracking closely with the cloud adoption trend. With data being moved from on-premises systems into platforms run by Amazon, Google, and Microsoft, hackers have had a much more difficult time trying to get through security by using brute force attacks.

This has driven a rise in password theft. With a legitimate user password, a hacker gains instant entry to a company account. And if the account they’ve hacked has the right permissions, they can add new users, steal data, and more.

According to Verizon’s 2020 Data Breach Investigations Report (DBIR), there are some signs that theft of login credentials is a major issue:

  • Password dumpers have become the #1 form of malware used in breaches
  • Theft of login credentials has become the #1 goal of phishing attacks

To combat the danger of these insider attacks, companies will implement multi-factor authentication, which is a strong safeguard to keep accounts from being compromised by an insider attack. 

MFA adds an addition step to login verification, which is usually the input of a code that is sent to a user device. This can also be another factor, like a fingerprint scan.

This trips up most hackers, because they don’t have a way to get that additional code. But, according to a study released by Google, not all methods of MFA have the same mitigation rate for attacks.

What’s the Most Secure Method of MFA?

When we talk about the different methods of MFA, it’s about how the authentication code is provided to the user. Google’s study looked at three main ways the MFA code is sent to authenticate a login.

This includes:

  • SMS (text message)
  • On-device prompt
  • Security key

The study also looked at three different types of cybersecurity attacks:

  • Automated bot attacks (several computers are deployed for a high-volume, automated attack)
  • Bulk phishing attack (phishing emails sent out in bulk to multiple users)
  • Targeted attack (attack that is more personalized and directed specifically to an organization)

We’ll compare each of the three methods of receiving an MFA code below and discuss how each scored in the Google rating over each type of attack.

SMS (text message)

Receiving a login code through MFA by SMS is the most common method. This is used widely by applications like online banking logins, cloud business apps, social media logins, and more.

Of the three methods of MFA, SMS is the least secure. This is because hackers do have the ability to gain access to or clone a user’s SIM card, which would allow them to receive that user’s text messages.

Increasingly, phones are also being paired with computers to allow users to access texts on their desktop or laptop. So, if a paired laptop were lost or stolen, the person in possession of that device could have access to MFA codes sent by SMS.

According to the Google study, here is how SMS rated for blocking a variety of attack types:

  • Automated bot: 100% blocked
  • Bulk phishing: 96% blocked
  • Targeted attack: 76% blocked

On-Device Prompt

An on-device prompt will typically be provided by use of an MFA application. This is a mobile and/or desktop app that pairs with various accounts to provide the input code.

Some examples of MFA applications are Microsoft AuthenticatorAuthy, and Google Authenticator

Authentication apps are seen as more secure than SMS because someone with a SIM card or access to your text messages can’t access the app.

Here’s how the app faired in the Google study:

  • Automated bot: 100% blocked
  • Bulk phishing: 99% blocked
  • Targeted attack: 90% blocked

Security key

The strongest method of MFA is the security key. This is an actual device that looks like a tiny USB device. It plugs into your computer or phone as a way to authenticate you as the legitimate user for a website or application.

You will generally need to purchase the key from a provider like Yubico, and then pair that key with the sites that you use MFA for.  These security keys are designed for both business and personal use.

The only drawback is that if you lose the key, you’ll have to go through a bit of a process to re-authenticate yourself on your sites. But, if you can keep track of the key, this is the best way to keep all your sites secure through MFA.

In the Google study, here is how using a security key for MFA did against attacks:

  • Automated bot: 100% blocked
  • Bulk phishing: 100% blocked
  • Targeted attack: 100% blocked

Get Help Setting Up MFA for Your Business

Haxxess can help your Northern Ontario company set up an effective MFA strategy to keep your accounts and data secure from attacks.

Contact us today to schedule a free consultation! Call 705-222-8324 or reach out online.

stay in touch

Subscribe to our newsletter and we'll keep you informed about latest IT news.