Signal, often considered one of the most secure messaging app, was recently affected by a phishing attack suffered by Twilio, the company providing Signal with phone number verification services.
With this breach, InfoSec expert and Industry leader provided some insights on MFA and SMS:
• What is a secure method for 2FA?
• Is SMS a secure 2FA method?
• What are some advice you have for secure MFA implementation?
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
• What is a secure method for 2FA?
2FA authenticators are the most secure method to implement 2FA/MFA. Although security practices such as a robust password policy that for example prevents users from reusing passwords prevent using context-specific words from passwords, and including captcha provides better protection as well. The rise of password-less authentication has also seen the adoption of novel methods such as password-less authentication with email and One-time-use Code/Magic links that offers both high security and convenience, while also ensuring the login flow is predictable for end users, with improved adoption, I expect these methods to become more mainstream in the near future.
What are some advice you have for secure MFA implementation?
MFA is just one tool in the security manager’s toolkit. Organizations need a comprehensive strategy that starts with analyzing architecture-level risks and then evaluate risks at the component level, with effective change management practices to ensure success.
• What is a secure method for 2FA?
The most secure method for 2FA is most likely one designed with security and maintainability in mind. There is no perfect 2FA method as evidenced a few years ago by the RSA Token breach where attackers could guess the rotating six digit key that the RSA hardware tokens would produce. While this did expose a weakness in 2FA hardware tokens, security researchers did learn from this issue. In the short-term, the RSA administrators were able to mitigate the “predictable” nature of a token’s numeric key by requiring a user to set a numeric PIN that the attacker would have to know in order to get the full 2FA key. In the long-term, enterprises switched to a software-based solution such as Okta, Duo, or Google’s Authenticator app that were patchable in case new flaws were discovered.
• Is SMS a secure 2FA method?
SMS was never designed to be a 2FA method. Originally it was a maintenance communication channel between cell towers and phones. It only became a consumer-centric communications channel after users discovered they could send text messages to one another. In the same vein, SMS only became a security channel after software developers discovered they could send OTP (one-time password) codes via SMS.
While adding SMS to a password and username combination did increase security in the beginning, its increased use also saw attackers focus on attacks against the SMS 2FA channel which has decreased its security benefit. Currently, SMS 2FA is only recommended for lower risk operations such as creating a new account or confirming access to a phone number.
• What are some advice you have for secure MFA implementation?
Jamie Boote: When initially deploying any form of MFA, enterprises will experience pushback from any users who have limited experience with cybersecurity and view the addition of extra security measures as a speedbump to them doing their assigned work. These users will tend to fit the profile of those who moan about password complexity or who’ve taken to keeping passwords on sticky notes under their keyboards. The easiest way to resolve this situation is through education covering real-world examples of cyber incidents where MFA could’ve assisted in containing or preventing the breach. While MFA presumes the user has multiple independent means to identify themselves, care should be taken to avoid single points of failure in the design. For example, if the second identification form is a code [generated by] a mobile device and the user is logging in on the same mobile device, does the use of a text message effectively remove one of the authentication factors?
A properly designed MFA model will assume employees will have some variant of a BYO model in place. This could be a personal cell phone, or a home computer used when a corporate issued device isn’t available. By following a BYO paradigm, an effective zero-trust boundary can be created which presumes that access to any system via an external network must use multiple factors. As with all authentication models, auditing should be enabled at all levels, but with a BYO paradigm care should be taken to ensure that any single points of failure are minimized. This is due to the lack of control over the device and that the device might actually support multiple users. Put another way, in a shared use environment mitigating the risk of pre-authorized cached access to resources could create a threat vector resulting from access. This is why all MFA implementations should go through a comprehensive threat assessment.