Now that the University is beginning to roll out multi factor authentication (MFA) it is worth reviewing the reasoning behind it, and what future authentication might look like for staff and students at Oxford.
Bear in mind that I’m not critiquing the concept of MFA here: it is a vital step to improve security at a time when Universities are being actively sought as a hackable target, with potentially huge rewards for the malicious. So what I’m writing about here is considering the best second-factor one should use, of all the available MFA options.
By far the easiest way to compromise someone’s account is social engineering – persuading a user to volunteer their information. Adding a second factor, beyond just a password, adds complexity and challenges for the nefarious. It’s far less likely that a user will be persuaded. More specifically it also ensures that both password and MFA have to happen at the same place and time, returning some semblance control to the legitimate user even when their password has been compromised.
“…the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
Alex Weinert (Director of Identity Security at Microsoft.)
TL;DR: You should use an authentication app on your preferred device.
Here’s why:
Text Messages
The underlying design of SMS has no capability to add encryption or verification. The need for backwards compatibility on billions of existing users’ devices, and vendors choosing to cease providing software updates after a couple of years, means that retro-fitting improved security can’t be done. The hardware to spoof a number is already out there, SMS signals can be intercepted, and it’s conceivable that anyone within range of a compromised user’s phone could generate fraudulent texts directed at that individual, or redirected elsewhere. SIM-swap fraud, where a ne’er-do-well impersonates you, to obtain a Porting Authority Code (PAC) to steal your phone number, is already a fairly common tactic.
The message size limit of 160 characters, roughly halved for some encoded languages, also limits the amount of information which can be transmitted at a time. And, finally, SMS lacks a mechanism to confirm delivery, or retry: messages can be delayed in transit or simply lost entirely.
Phone call
The public switched telephone network (PSTN) is similarly vulnerable: no encryption and no simple way to add any. The same issues of number spoofing exist and eavesdropping on a call is not beyond the capability of the determined criminal. The simplicity of the telephone system, based on well-known international standards, make it vulnerable to a whole host of attack vectors. Phone redirection is also simple and easy in most organisations, and is not (yet) widely recognised as an attack vector: it may be easier to socially engineer a telecoms department to get a user’s phone calls sent elsewhere. It’s probably that this could be done without the eyebrow-raising that asking for a password would provoke.
Hardware tokens
These are far more secure than PSTN or SMS second-factor authentication but have to be purchased. And if their security is ever compromised in the future it’s next to impossible to resolve that without simply having to replace them en masse.
App-based auth
The authentication app can take advantage of encryption and security features that are simply absent from the other authentication methods, and it’s updateable as new threats, or future vulnerabilities are discovered. Microsoft have already updated their authentication app several times this year – Microsoft’s Alex Weinart again:
“In just the last year, we’ve added app lock, hiding notifications from the lock screen, sign-in history in the app, and more – and this list will have grown by the time you plan your deployment, and keep growing while SMS and voice keep sitting still.”