searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • (IN)SECURE Magazine

Related topics

  • How effective are login challenges at preventing Google account takeovers?
  • After extensive testing, Google introduces the Titan Security Key
  • What will phishers do once push-based MFA becomes widely used?
  • Attackers are exploiting IMAP to bypass MFA on Office 365, G Suite accounts

Featured news

  • Cybercriminals continue to target trusted cloud apps
  • Customers willing to share personal data in exchange for personalized services
  • Critical flaw in Rockwell PLCs allows attackers to fiddle with them (CVE-2021-22681)
  • Most IT security leaders lack confidence in their company’s security posture
  • Insights for navigating a drastically changing threat landscape
Zeljka Zorz
Zeljka Zorz, Managing Editor, Help Net Security
October 4, 2019
Share

Microsoft: Any form of MFA takes users out of reach of most attacks

The apparent ease with which SIM hijacking attacks are being perpetrated to get the targets’ second authentication factor for crucial accounts (online banking, cryptocurrency exchange, online wallet) must have raised some doubts about the security of multi-factor authentication (MFA) – and rightly so.

why use multi-factor authentication

What users need to know and accept is that not all MFA options are equally secure but that, generally, they are all a safer option than using just a password.

“Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population,” Alex Weinert, Group Program Manager for the Identity Security and Protection team at Microsoft, explained.

Hardware-bound MFA options, such as smartcards, Windows Hello and FIDO tokens, are the most secure choices at the moment.

Which MFA option is right for you?

Additional authentication factors may come in various forms and/or are delivered via various means:

  • Static (chosen) PINs
  • Approval requests (by apps or devices), i.e. on-device prompts
  • One-time passcodes (OTP) delivered via SMS, mail or phonecall
  • Time based one-time-passcodes (TOTP) on OATH hardware tokens
  • Authentication applications like Microsoft Authenticator or Google Authenticator
  • Smartcards
  • Windows Hello
  • FIDO tokens (e.g., security keys)

All of these are great when users’ accounts are being targeted randomly by bots, but can fail when human attackers are willing to invest enough time and effort to get into them.

“Virtually all authenticators in common use today – phones, email, one-time passcode (OTP) tokens, and push notifications – are vulnerable to relatively low-cost attacks involving takeover of the communication channel used for the authenticator (Channel-Jacking) or intercept-and-replay of authentication messages using a machine-in-the-middle (Real-Time Phishing),” Weinert noted.

Users will continue to fall victim to phishing attacks. Channel jacking will continue to be a problem until account providers become invulnerable to password attacks, social engineering or bribery of support staff and technology and communication protocols are without vulnerabilities (meaning: never).

That’s why Microsoft is pushing channel independent, verifier impersonation resistant authenticator types such as smartcards, Windows Hello, and FIDO tokens.

Even those are vulnerable to some attacks, such as a combination of theft of the card/device/token and shoulder-surfing, but they require a considerable effort by the attackers.

Such a level of effort is usually reserved only for high-value targets and accounts – and most users and accounts do not fall in that category. For those, any MFA option is a good idea as it will put them out of reach of most attacks, Weinert noted.

More about
  • account protection
  • authentication
  • MFA
  • Microsoft
  • security key
Share this
tools

Protecting the digital workplace with an integrated security strategy

  • How do I select a cloud security solution for my business?
  • Closing the data divide: How to create harmony among data scientists and privacy advocates
Free certification Exam Action Plan from (ISC)²

What's new

industrial

Critical flaw in Rockwell PLCs allows attackers to fiddle with them (CVE-2021-22681)

analyst

Most IT security leaders lack confidence in their company’s security posture

world

Insights for navigating a drastically changing threat landscape

tools

Protecting the digital workplace with an integrated security strategy

Don't miss

industrial

Critical flaw in Rockwell PLCs allows attackers to fiddle with them (CVE-2021-22681)

tools

Protecting the digital workplace with an integrated security strategy

cloud

How do I select a cloud security solution for my business?

world

Insights for navigating a drastically changing threat landscape

search

Closing the data divide: How to create harmony among data scientists and privacy advocates

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • Twitter

In case you’ve missed it

  • How do I select a cloud security solution for my business?
  • Chief Legal Officers face mounting compliance, privacy and cybersecurity obligations
  • How do I select a network monitoring solution for my business?
  • Tips for boosting the “Sec” part of DevSecOps

(IN)SECURE Magazine ISSUE 67 (November 2020)

  • Hardware security: Emerging attacks and protection mechanisms
  • Justifying your 2021 cybersecurity budget
  • Cooking up secure code: A foolproof recipe for open source
  • Mapping the motives of insider threats
Read online
© Copyright 1998-2021 by Help Net Security
Read our privacy policy | About us | Advertise