Why is Two-Factor-Authentication (2FA) So Important?


Summary


Over the past few months, I personally have seen an increase in failed sign-in activity on my personal email accounts, along with a significant increase in phishing attempts, many people reading this would likely not even be aware that you can check the log for your Outlook and Gmail account yourself, many would also be shocked to perhaps see how frequent their account has been targeted, or perhaps how successful an adversary may have been.


I will shed some light on this at the bottom of this article.


You can read my previous article on the ‘’Cyber Attacks – Today’s Reality’’ here, I encourage you to read this before continuing with the below.


Introduction


I am currently studying towards my CISM (Certified Information Security Manager) certification by ISACA.


I have been reading material now for over 5 months, the subject is not new to me, however the depth and breadth of information and exceptionally valuable policies and procedures has made me realise how vitally important it is for others to educate themselves on the protection of information, be it their own, or the company in which they work, or own.


I recall telling people that this was an area I wanted to study, people looked at me oddly, as they know my background is far from InfoSec, however, it does not matter if you are involved in event security, executive protection, corporate security, the security of information is vital, and knowledge of how to secure it, and the understanding and acknowledgment of the threats that exist, is imperative for everyone to accept and understand.


I have witnessed over the years organisations spending vast amounts of money on physical security measures but have failed in addressing a much more harmful and lesser acknowledged threat, that is, insider threat, in short, theft of information by employees, or negligence and denial by employees.


This might be due to either lack of acknowledgment, security maturity, or simply a lack of organisational (C-Suite) education in this area, this might be due to the entity not having a CISO (Chief Information Security Officer) to educate the business on the reality of securing information, perhaps a flawed InfoSec awareness program, or perhaps through a TVRA (Threat Vulnerability and Risk Assessment), conducted by a Head of Security, who may not be InfoSec savvy, and the theft of information from insiders (employees) has not been considered.


The reality is simple, the securing of information, be it personal private information, or within an organisation is vital.


The Reality


For years, the dangers of protecting online accounts with only basic, password based, authentication has been common practice, and I guarantee most people reading this will only have a single account password.


Yet, despite this, the transition to stronger forms of authentication has been slow, likely due to the above, education and awareness.


The National Cyber Security Centre (NCSC) recommends 2FA for email accounts, as email provides a route in for cybercriminals to reset passwords on other accounts.


Why 2FA?


A password is something someone knows and therefore it can be shared. Astonishingly, people sometimes do this knowingly and willingly (negligence), particularly in a business setting when colleagues need to access a little-used system or application, or on another behalf, perhaps due to a poor hand-over prior to vacation, or, under pressure due to time constraints and not being able to reach a location, or asset in time.


Beyond this type of intentional sharing, passwords can also be tricked out of people through phishing. Phishing attacks are becoming increasingly sophisticated and therefore difficult to spot. An email may appear to be from a legitimate service provider, such as a bank, yet when the unwitting customer clicks on a link they could be taken to a fake site.


If they enter their information at this point, the cybercriminal can use the phished credentials on the actual service provider’s site to gain access to the user’s account, it is very simple, and, incredibly effective, imagine how many people of an older generation might be none the wiser to this type of attack, imagine your parents for example.


Even more sophisticated, and another danger to password-only protection, are man-in-the-middle (MiTM) attacks. These come about when a cybercriminal is in the middle of communications between a service user (an internet customer) and a provider (internet provider) for example, both of whom believe they are communicating with each other.


As with phishing, highly personalized messages provide a vehicle for MitM attacks, as do unprotected Wi-Fi networks and manipulated URLs that look like legitimate sites.


Strong authentication is necessary to increase access levels for accounts and online services. Passwords alone provide weak protection because they can be guessed and phished, and, once stolen, tried against a range of accounts in the hope of a successful hit, remember, people do this for a living, they have the time do partake in this activity, think about risk vs reward, capability, know-how, motivation.


Every week you can read new stories about high profile data breaches and password leaks. You may think that this only happens to those with outdated systems, huge businesses, or those with poor security, however you would be wrong. The significance of creating strong passwords is with other words more important than ever, but these alone are not sufficient.


Here are some worrying facts about this traditional password security measure.

  • 90% of passwords can be cracked in less than six hours.

  • Two-thirds of people use the same password everywhere, for everything.

  • 57% of people who have already been scammed in phishing attacks still have not changed their passwords and are likely none the wiser to the attack even taking place.


How Can 2FA Help?


True (2-Step Authentication) 2FA requires two different types of authentication factors.


Because it takes more work to hack a second authentication factor, and because other types of factors are more difficult to steal or falsify, 2FA improves account security and better protects an individual, or an organization, and its users from unauthorized access.


2FA is the most used type of multi-factor authentication (MFA) – authentication requiring at least one authentication factor in addition to a password, or at least two authentication factors instead of a password.


2FA is an additional layer of security used to ensure only authenticated users gain access to an online account. Initially, a user will enter their username and a password as usual. Then, rather than gaining access straight away, they will be required to provide additional information.


This second factor could come from one of the following categories.


Something you own


A code from an Authenticator app on your phone, or a code sent by SMS to your mobile phone.


Possession factors offer several advantages over knowledge factors. To impersonate a user, at the time of log-in a hacker needs to have the physical device in hand or intercept the transmission to the device to acquire the OTP or TOTP before it expires.


But possession factors aren’t uncrackable. Physical tokens and smartphones can be stolen or misplaced. While OTPs and TOTPs are more difficult to steal than traditional passwords, they are still susceptible to sophisticated phishing or man-in-the-middle attacks. And OTPs are vulnerable to SIM cloning - creating a functional duplicate of the victim's smartphone's SIM card.


In regard to SIM cloning, this is a relatively easy process if the adversary has the know-how, capability and motivation, but made even easier when the person has your SIM Card, think about this the next time you take your phone to a repair centre and leave it in their hands for a few hours to fix a broken screen or camera, especially when you might be in a foreign country, on business or on vacation.


Something you are


A biometric indicator, like your fingerprint (Touch ID) or facial recognition (Face ID).

With 2FA, a potential compromise of one of these factors will not compromise the account itself. So, even if your password is taken or your phone, the chances of someone else having access to both factors is weakened.


Inherent factors, also called biometrics, are physical characteristics or traits unique to the user — a fingerprint, a voice, facial features, or iris and retinal patterns. Today mobile devices can be unlocked using fingerprints or facial recognition; some computers can use fingerprints to enter passwords into websites or applications.


Inherent factors are the most difficult factors to crack: They can't be forgotten, lost, or misplaced, and they are extraordinarily difficult to replicate - But that doesn't mean they're fool proof.


If inherent factors are stored in a database, they can be stolen. For example, in 2019, a biometric database containing 1 million users' fingerprints was breached. Theoretically, hackers could steal these fingerprints or link their own fingerprints to another user's profile in the database.


When biometric data is compromised, it can't be changed quickly or easily, making it difficult for victims to stop attacks in progress.


‘’Working From Home’’


For many businesses, hybrid remote/office working environments add to the urgency to strengthen authentication practices. It is likely that many people will continue to work from home, at least some of the time, despite the return to offices, depending on who you work for and where pf course.


This means expanded corporate IT infrastructure, comprising of many more devices accessing networks, systems, and applications from many more places, will become more common, and people expecting to be able to access the same information they could at their office desk, from the comfort of their own home.


Now, companies must mitigate security risks and protect access at the device and application level, not only in-country, but of course whilst overseas. With this should come a more rigorous, and structured security awareness program within your organization, focusing on best practice, as stated, we cannot blame employees, we must look at ways to educate staff, and the people around us, before passing blame.


Overseas travel for employees provides a fertile environment for information theft, for example travelling with a laptop (or phone, iPad, etc.) can represent a significant security risk to your business. This is because the data it contains is far more vulnerable when you are on the move than when you use a laptop in the relative safety of your office or home environment, on what should be a secure network and away from adversaries – CSMP, Unit 11.


You might think that the laptop is password protected, so you do not need to worry as it cannot be accessed, you are wrong, it can be, and with relative ease, either by using a USB, or even an overseas customs official trying to force you to provide a password for your device, perhaps as they are working within a Foreign Intelligence Agency (FIS).


If you have oversight of a business’s travel security programme for employees, how advanced is the overseas travel awareness programme in place? And does this also cover Technical Surveillance Countermeasures (TCSM)?


As stated above, security culture starts with us, the security professional and specialist.


No Need, I am The Director of….


Much like physical credentials, for example those with access rights to certain areas within a venue, or office, many people have complete disregard for credential wearing, or the meaning of access control and why it exists, either through belligerence, ignorance, or have been inappropriately educated on the access control policy and procedures that exist.


Access control also applies to InfoSec, for example access to secure folders or files, many people assume, much like physical access control, that because of their title, they have the automatic right to access every folder, document, and piece of information imaginable within an organization, this is categorically not the case.


Information should be accessible for those whom ‘’need to know’’, not based on job title, the same for physical access control ‘’need to go’’, remember, an environment with an immature, and poor security culture will likely be rife with this behaviour.


Solutions


Several types of two-factor authentication are in use today, some may be stronger or more complex than others, but all of them offer better protection than passwords alone.

  • One Time PIN (OTP), either from an Authenticator app or Hardware token.

  • Code from a SMS text message.

  • Fingerprint Scan (Touch ID).

  • Facial Recognition (Face ID).

Further Advice – Outlook/Microsoft


If you use Outlook, head to your Microsoft Account, then select ‘’Security’’ then ‘’Sign-In Activity’’.


Here you will find any sign-in information on your account, you will be able to see when, where, with what, and what happened, and if you are unsure, you can re-secure the account.

You might be shocked to see ‘’failed’’ attempts on your account, they may range from various countries, cities, browsers, and actions. Once you select the option that says ‘’Unfamiliar’’ you will possibly told of the next actions, if you are lucky, you will be told that a password change is not necessary as the sign-in attempt was unsuccessful.


Finally, within the same root menu, select ‘’Advanced Security Options’’, then ensure all options are turned on, and then below, ensure ‘’Two-Step Verification’’ is activated.


Note the 2FA application on a handheld device is Microsoft’s own, named Microsoft Authenticator.


Further Advice – Google/Gmail


If you use Google/Gmail, head to your Google Account, then select ‘’Security Check-Up’’, then complete all recommended actions.



Social Media


Many of you may also be unaware, that the majority of all social media sites can now be secured using 2FA, specifically LinkedIn, Instagram, and Facebook, you should proceed to security settings and ensure this is activated for all accounts.


A great application for social media accounts is named Duo Mobile.


You should also set your Facebook to a locked account, another tool very few people are aware of, read this article to find out why, and how.


This one for LinkedIn.


To Conclude


I hope you will leave a comment and let me know if this was of use to you, remember, we can all do more.


Regards,


Adam