Multifactor authentication (abbreviated as MFA) is considered an important tool for optimizing IT security. However, hackers also exploit vulnerabilities here.
Multifactor authentication is mainly used to improve the security of online activities . For example, before a user can authorize a payment or even log into their bank account, their identity is confirmed through an alternate channel. The most common method is the MFA via SMS , which is offered e.g. by the online payment service PayPal. As soon as the user wants to pay for something online via PayPal, he receives an SMS containing TAN to the previously saved cell phone number. The payment process will only start once you enter it. In short: MFA augments the process with additional authentication or identity verification steps .
This successfully prevents the theft of email addresses and passwords used to make payments. So MFA in itself is very good and extremely useful in both personal and business life. Nevertheless, there are vulnerabilities here too, which are exploited by hackers.
Worst case scenario: no MFA
Before we get to the points where the multifactor authentication system is flawed, let’s once again break down the spear for its use. According to a Microsoft study, more than 99.9% of all compromised Microsoft customers don’t use MFA at all. If password protection is also inadequate – for example, because password managers are not being used – a successful cyberattack is only a matter of time.
Especially companies that handle sensitive data, employ people in the home office, and/or like lots of practical tools for quick process handling should never be without MFA. It’s important to learn how to balance security and comfort . Because it is the most convenient and fastest method of MFA that attracts more and more hackers.
Multifactor authentication via SMS is convenient, but…
MFA succeeds fastest with SMS. And since everyone has a smartphone these days, the method is very popular. Its disadvantage: It is relatively unsafe .
Because: With SMS there is a risk that the saved cell phone number is missing from the SIM card swap victim (also called SIM-card hijacking). Hackers hijack the entire number. The first step is for hackers to obtain information about the cell phone number. To do this, they either hack into social networking profiles or start a chat with a potential victim under an assumed name. Once they have the number, cybercriminals contact the provider and pretend to be a user who has lost the SIM card or needs a second copy. Or: you terminate your contract and apply for portability. Sounds complicated, but it’s common practice and easy for criminals to do.
An alternative to this is the cookie attack, which involves intercepting user and login data stored in the browser using cookies.
Security first: MFA with biometric or adaptive information
Multifactor authentication using biometric, adaptive or contextual information proves to be much more secure. Professional password managers already use such methods automatically. Essentially, a professional MFA is based on three factors:
Knowledge (pin code, password, control questions)
Possession (smartphone, laptop)
Inherent (biometric factors, facial recognition, voice recognition, and personality traits such as typing speed)
Artificial intelligence is then used for adaptive or context-dependent multifactor identification . The system evaluates whether the overall pattern matches the login attempt. On the other hand, an alarm sounds, for example, if the user suddenly seems to change continents within two hours. Each individual registration or login attempt is subject to a validity check .
In addition, companies should remember to cover as many authentication processes as possible . For example, not only the registration process, but also account recovery in case of apparent password loss or the like.