top of page
  • gwestgate

Who the F*** are you?

Arguably, the first rock song written about authentication is Who Are you, by The Who. I understand why The Who were so passionate about authentication, it is the first pillar of security. A lot has changed since 1978 though, especially regarding authentication. You no longer have to ask somebody 152 times in the form of a song who they are. These days it is more customary to use a username, password, and Multi-Factor Authentication MFA.

I have written other posts about how important unique usernames and passwords are for security, but I have yet to discuss MFA. MFA verifies user identity by requiring users to provide data back that they received on a mobile phone when prompted by a browser or application. In today’s world not using MFA is the equivalent of not having a password. Every time you sign up for a new service you should check if it supports MFA and enable it.

Similar to every other digital technology, Multi-Factor Authentication is always evolving. Even as some system providers fail to enable it at all, other system providers are on their second or third generation of implementation. As each new method used for MFA is adopted bad actors look for ways to hack it. The most common forms of MFA are email and SMS verification. A code is sent to either email or text message that the user then types into the login prompt. Both of these forms of MFA are generally available to everyone and are easy to implement from a system perspective. SMS isn’t encrypted and prone to SMS hijacking.

The latest innovation in MFA is an authentication app. These are applications that run on mobile devices that provide PINs that reset every minute. When you log into a site that has been configured to use your authenticator app you can use the PIN when prompted. However, since convenience is the enemy of security and end users have a hard time wrapping their heads around the inconvenience, authenticator app developers created new ways their apps could be used that would not burden the end users. For example, instead of having to enter a PIN every time, users could get an alert sent to their authenticator app which prompted them to accept or dismiss the login. This is super easy for the end user and social engineering as well. A recent Dropbox breach occurred because of this process: How we handled a recent phishing incident that targeted Dropbox — Dropbox. MFA fatigue is a phenomenon that occurs when a user gets prompted repeatedly to approve a login that they stop paying attention to what they are approving and eventually approve a hacker.

To combat MFA fatigue and improve the general security of MFA, Microsoft has introduced a new MFA solution that will be deployed by default on February 27, 2023, to all its users. They are calling it “number matching in multifactor authentication”. when prompted to sign into Microsoft you get a pop-up asking to enter a number which you will receive on your Microsoft Authenticator app.

My company, GLM West, inc., offers consulting services that can help you with this and other IT outsourcing services, check out our website for more info!

8 views0 comments


bottom of page