Credential theft has been on the rise for the past few years, tracking closely with the cloud adoption trend. With data being moved from on-premises systems into platforms run by Amazon, Google, and Microsoft, hackers have had a much more difficult time trying to get through security by using brute force attacks.
This has driven a rise in password theft. With a legitimate user password, a hacker gains instant entry to a company account. And if the account they’ve hacked has the right permissions, they can add new users, steal data, and more.
According to Verizon’s 2020 Data Breach Investigations Report (DBIR), there are some signs that theft of login credentials is a major issue:
To combat the danger of these insider attacks, companies will implement multi-factor authentication, which is a strong safeguard to keep accounts from being compromised by an insider attack.
MFA adds an addition step to login verification, which is usually the input of a code that is sent to a user device. This can also be another factor, like a fingerprint scan.
This trips up most hackers, because they don’t have a way to get that additional code. But, according to a study released by Google, not all methods of MFA have the same mitigation rate for attacks.
When we talk about the different methods of MFA, it’s about how the authentication code is provided to the user. Google’s study looked at three main ways the MFA code is sent to authenticate a login.
This includes:
The study also looked at three different types of cybersecurity attacks:
We’ll compare each of the three methods of receiving an MFA code below and discuss how each scored in the Google rating over each type of attack.
Receiving a login code through MFA by SMS is the most common method. This is used widely by applications like online banking logins, cloud business apps, social media logins, and more.
Of the three methods of MFA, SMS is the least secure. This is because hackers do have the ability to gain access to or clone a user’s SIM card, which would allow them to receive that user’s text messages.
Increasingly, phones are also being paired with computers to allow users to access texts on their desktop or laptop. So, if a paired laptop were lost or stolen, the person in possession of that device could have access to MFA codes sent by SMS.
According to the Google study, here is how SMS rated for blocking a variety of attack types:
An on-device prompt will typically be provided by use of an MFA application. This is a mobile and/or desktop app that pairs with various accounts to provide the input code.
Some examples of MFA applications are Microsoft Authenticator, Authy, and Google Authenticator.
Authentication apps are seen as more secure than SMS because someone with a SIM card or access to your text messages can’t access the app.
Here’s how the app faired in the Google study:
The strongest method of MFA is the security key. This is an actual device that looks like a tiny USB device. It plugs into your computer or phone as a way to authenticate you as the legitimate user for a website or application.
You will generally need to purchase the key from a provider like Yubico, and then pair that key with the sites that you use MFA for. These security keys are designed for both business and personal use.
The only drawback is that if you lose the key, you’ll have to go through a bit of a process to re-authenticate yourself on your sites. But, if you can keep track of the key, this is the best way to keep all your sites secure through MFA.
In the Google study, here is how using a security key for MFA did against attacks:
Haxxess can help your Northern Ontario company set up an effective MFA strategy to keep your accounts and data secure from attacks.
Contact us today to schedule a free consultation! Call 705-222-8324 or reach out online.