Multi-Factor Authentication (MFA) is a security process that uses two or more forms of authentication to validate the identity of a user. The process is generally regarded as more secure than relying solely on passwords and security questions created by users.
There are several forms of MFA. In addition to the username and password, a user would be required to prove an additional form of authentication. This might include biometric identification (like a finger print scan), a one-time password generated by a secure hardware device (such as a security token), or an authentication code emailed to the user’s PC or a text to their smartphone.
Typically MFA is used to verify a user’s identity for login or to perform a transaction, such as online banking. The technique is becoming more widely used, given the value and sensitivity of personal data stored digitally and as individuals struggle to maintain secure passwords.
Hackers are also growing more sophisticated, using social engineering or techniques like ‘password spraying’ to compromise accounts - according to Verizon, some 80% of hacking related data breaches involve stolen or weak passwords.
In some sectors, MFA is considered best practice and encouraged by regulators and industry bodies. The Payment Card Industry Data Security Standard (PCI DSS) guidance, for example, promotes MFA as a means of compliance, while it is also considered best practice for HIPPA compliance.
The European Union Agency for Network and Information Security (ENISA) also recommends MFA as a means of compliance with the EU’s General Data Protection Regulation for high risk data.
While MFA is good practice, trust in the security practice has been eroded after a cyber security researcher showed how it is possible to automate phishing attacks and compromise accounts protected by MFA. The researcher, Piotr Duszyński, published a toolkit known as Modlishka – the Polish word for mantis—that can bypass MFA security.
The hacker tool sits between a user and a target website, such as Outlook 365, Yahoo or Gmail. The user receives authentic content from the legitimate site, but the victim interacts with the legitimate site via a proxy server (the Modlishka server). Any security data entered is automatically logged on this server, while the reverse proxy also prompts users for 2FA tokens when users have configured their accounts to request one.
Worryingly, tools that exploit this vulnerability are being made available on the dark web, suggesting that the exploit is likely to be used to compromise previously protected environments. A report from Amnesty International in December showed that advanced state sponsored actors have already started using phishing systems that can bypass MFA.
Talk to an expert
For further information, please contact Sarah Stephens, Head of Cyber /Technology E&O on +44 (0)20 3394 0486