Jill is an average working woman whose life is like everyone else’s and is completely online. Jill banks online, saves her CC on Amazon to make purchases easy and even pays her bills online.
Well unknown to Jill her email address and password were compromised in a data breach of a social media site she uses. The attackers who obtained Jill’s information attempt to use it to log into Jill’s bank account. Luckily for Jill she setup MFA on her bank account. Jill immediately receives a notice that someone is trying to log into her bank account. She knows it certainly isn’t her and denies the login then immediately changes her banking password.
Why Password are not enough anymore!
Luckily for Jill, she and her bank knew the importance of MFA. Passwords just are not enough anymore to keep our accounts protected from malicious people. Passwords are based upon human brains remembering a number, letter, special character combination. The human brain was not meant to keep track of this type of information. So what do people do? They reuse the same password for everything.
I touched on this in my previous post “Is My Password Secure Enough?“. Where I spoke about credential stuffing and how a malicious person will purchase email addresses and passwords from data breaches and attempt to use those combination on other services. This works because so many people reuse the same password over and over again. I really push in that post how important it is to have a password manager that generates random passwords for you that you don’t need to remember.
But truly passwords are just not enough anymore and we need something else to work with our passwords. Welcome Multi-Factor Authentication.
What is Multi-Factor Authentication (or MFA)?
Multi-Factor Authentication is using multiple different factors to authenticate you to a service. A password is just one factor for authentication and that is the knowledge factor or something you know. The other factors are:
Possession based Factors
Possession based factors are something you have. This can be the typical token device that displays a number for you to type in. It can be a USB device that contains certificates that authenticate who you are. Or it can be software apps for your phone like Microsoft Authenticator, or Google Authenticator. These software apps for your phones work similar to the token based devices where they display a number for you to type in. But most of them also give a push option to make MFA a little easier on the user.
Inherent Factors
Inherent Factors fall under the category of something you are. This typically includes some form of biometric whether it is finger print, face scan, iris scan or voice. These have recently come under some scrutiny because if any of these are in some way compromised you can’t change them. Where if a password is compromised you can simply change it but you cannot change you finger print.
Location Factors
Location Factors is becoming increasingly popular for their convince. An example of a Location Factor would be if someone was hardwired in their corporate office they would only need the password. Their location is the second factor. However if they are out of the office, say at home, they would need one of the other factors such as a token to be granted access.
Some service companies are taking this one step further and actually watching your location and determining of other make sense. For example if I log in from Virginia into an account and then an hour later there is a login attempt from Moscow. It is unlikely that I made it from Virginia to Moscow in an hour so that second login would be denied.
Type of MFA to stay away from
Yes there are types of MFA that we should try to avoid. However keep in mind that even using these types for MFA is better than no MFA at all.
SMS or Texting
Earlier versions of implementing MFA relied heavily on SMS or texting a code to a user. While this is still an option that many services still use and am be the only option in some cases it has been determined to be not as secure. Mostly because SMS is not a secure means of communication. SMS and Texts can be intercepted.
Email is also used in many services as a second for of authenticating someone but should be avoided when possible. If you do happen to use the same password for multiple services including your email it is possible that a malicious person could have access to your email. In that case, they then have access to the second factor as well. This is why email should be avoided at the second factor. But remember SMS and Email as the second factor are still better than NO second factor.
Different Apps used for MFA
I mentioned earlier that there are SmartPhone apps you can get to act as that second factor. These work great because they not only give you the generated code but most of them also allow for push notification. Push notifications allow you to just accept the login versus having to enter in a random code.
Google Authenticator
The Google Authenticator App is a very widely used authenticator app for many services such as:
- Google or G-Suite
- Barracuda
- Cloudflare
- Amazon AWS
- and more…
Microsoft Authenticator
Not to be out down Microsoft has their own Authenticator App. This is very similar to Google Authenticator and is primarily used for Microsoft services like Microsoft 365 of Azure services. It works the same as the Google Authenticator App and supports push notifications.
DUO Mobile
DUO is a company I will talk about a little more in the next section however they have their own Authenticator App. Obviously, this app works with DUO services but I have found it to work with many other services that support the Google Authenticator app. The caveat is that the push notifications don’t work in some scenarios.
Last Pass Authenticator
Very similar to DUO the Last Pass Authenticator is mainly used as the second factor to your Last Pass accounts. Last Pass is a password manager that I spoke about in the previous post and is the one that I personally use.
Companies that help with MFA
There are quite a few companies out there that help businesses implement MFA in places they could not before. Now, this is mainly for companies and not for individuals. But as a Systems Administrator, it would be part of your job to help implement and maintain these services.
DUO
First up we have DUO. Now I mentioned them a little while ago about having their own Authenticator App which is mainly used for their services. DUO is a great service based company that helps you to implement MFA in places you wouldn’t be able to before.
For example, DUO has software you can install on physical servers to force logins to be Multi-Factor. Or networking devices that use Radius authentication can now be integrated with DUO for MFA even if the only supports Radius.
One other thing to mention about DUO is that they were recently purchased by Cisco so I expect to see great things in terms of DUO being integrated with Cisco devices.
Okta
Okta is another company similar to DUO except they do more and are actually an Identity Management company. So they go a step further and allow users to log into an Okta interface using MFA and from there access all of their needed web applications without the need of an additional login. Okta really shines when it comes to identity management and web applications. Last I looked their offerings for on-premise hardware and software was a little lacking but I was assured that they were working on that. They do currently offer protection for remote desktop into Windows Servers but I have not seen anything in the area of Radius.
Conclusion on MFA
If you have made it to the end of this post I sincerely congratulate you. I appreciate you sticking with me and I REALLY hope you now have a good understanding of what MFA is and how it can really help to keep your sensitive accounts secure.
Now it is up to you! See what accounts you can set up for MFA help protect yourself. Also if you have any questions feel free to leave them in the comments below and please think about joining the community of aspiring Systems Administrators below.