Not all multi-factor authentication (MFA) is created equal.
/While any MFA is better than none, there are different levels of security risks associated with the various types of MFA that are available to secure your online accounts.
We at Infinite Edge are on a mission to make businesses more cyber intelligent, and part of that is cyber security intelligence (CSI).
So I thought I would break down the different types of MFA available, and the various risk levels associated with each.
🔑 Email authentication
This is the least recommended version of MFA and belongs in the one time password (OTP) category. If a hacker or scammer has access to your email account, it's simple for them to circumvent MFA by getting the code sent to your compromised email account.
🔑 SMS authentication
There have been a number of documented cases where hackers steal someone's identity or trick the customer service representative from the victim's phone provider into locking the owner out of the account. Then they port the mobile number to another carrier and get the MFA code sent to themselves.
🔑 Push Notifications
This was very commonly recommended by IT providers in previous years, due to the ease of use. i.e. instead of entering the six digit OTP MFA code every time, you receive a push notification to your authenticator app asking you to approve or deny the login.
Uber suffered a well-known breach due to an MFA fatigue attack, i.e. the hackers sent continuous MFA prompts to the victim until they eventually hit approve.
In some cases, users may accidentally hit approve when prompted.
🔑 Number match
As a result of the risks associated with push MFA authorisation, companies such as Microsoft introduced number matching. Essentially, this adds an extra step to push authorisation and asks the user to enter a matching two-digit number on their authenticator app.
Microsoft has recently announced they are forcing this on push notification MFA setups from Feb 27 2023.
🔑 Passwordless Authentication
For Microsoft users, even better is passwordless authentication. If you don't have a password, then it can't be compromised.
The way passwordless authentication works is the user enters their email address, and then they are prompted by the MS authenticator app to number match the displayed two-digit code.
We've begun rolling this out to all our clients, and it's a game changer.
There are also biometric MFA and hardware USB keys. The former is not recommended to fully replace OTP MFA due to reliability and stability issues, and the latter whilst considered probably the most secure type of MFA, is costly and the keys can be lost or misplaced.
Unfortunately, sometimes you're at the mercy of whatever MFA solution is offered by the online service. Whilst not ideal, as I said earlier, any MFA is better than no MFA.
What MFA authentication are you using?