MFA and Biometric Authentication: Secure the Digital Profile
Every October, National Cybersecurity Awareness Month (NCSAM) promotes the importance of cybersecurity and helps available resources be safer and more secure online.
This year’s NCSAM theme is “Own It. Secure It. Protect It.” The theme emphasizes the role each individual person plays in online safety and the importance of taking proactive steps to enhance cybersecurity both at home and in the workplace.
Over the next few weeks, we’ll explore each of these three core components — beginning with “Secure It.”
When It Comes to Securing Your Digital Profile, MFA Is Table Stakes
Cybercriminals are very good at getting personal and sensitive information from unsuspecting victims. As technology evolves, their methods have become increasingly targeted.
Technology users have a responsibility to protect against cyber threats by learning about the available security features on the devices and in the software that you use. It’s also critical to utilize multiple types of authentication — not just a password — to protect your devices and online services such as bank accounts, email and social media accounts.
Typically, this begins with implementing multi-factor authentication (MFA), a security mechanism in which individuals must present two pieces of identity verification when logging into an account. In most cases, MFA includes a password and some kind of authentication on the user’s mobile device — SMS is the most common. Using MFA means that even if a cyber attacker manages to figure out your super strong password, they still would not be able to gain access without the other piece of authentication.
According to Microsoft research, utilizing MFA makes your accounts 99.9 percent less likely to be compromised. It’s an important cybersecurity best practice that doesn’t take much effort to implement. Unfortunately, however, motivated cyber attackers are always discovering potential work-arounds. Recent headlines reveal that while MFA is a critical step, it is also a target.
Overcoming Blind Spots in MFA with Biometric Technology
Earlier this month, the FBI issued a warning stating that it has “observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks.”
As more people implement MFA as an additional layer of cybersecurity protection, attackers are turning their attention and efforts toward exploiting blind spots inherent in MFA. Consider that MFA typically relies on “something you know,” (e.g., a security question) and “something you have,” (e.g., a laptop or smartphone). Here’s the problem — nothing about either of these methods actually confirms identity. Something you have can be stolen and something you know can be learned.
The attack on Twitter CEO Jack Dorsey is an example of how attackers can exploit these MFA blind spots. In late August, Dorsey’s personal Twitter handle was compromised. Nearly two-dozen offensive tweets and re-tweets were posted before the content was removed. The social media attack was just one in a series of Twitter account takeovers targeting a string of celebrities and social media influencers.
The attack method, known as a “SIM swap,” is accomplished when an attacker either convinces or bribes a mobile carrier employee to switch the number associated with a SIM card to another mobile device. According to the New York Times, these switches often cost as little as $100 for each phone number.
After the switch is made, the attacker can intercept any MFA codes sent by text message and essentially take control of the user’s entire phone number. This allows the attacker to gain access to everything from a person’s social media to banking, email and even cryptocurrency accounts. Some attackers are even using this SIM swap method to target and compromise high-profile politicians, causing reputation damage and spreading misinformation.
So how can you protect yourself? The FBI is urging individuals and organizations to continue using MFA and also to take security one step further by adding biometric authentication. This will make it harder for attackers to trick users into disclosing MFA codes or use technical interception to create them.
Biometric authentication uses biometric identifiers such as fingerprints, iris scans and voice patterns, for identification and access control purposes. These biometric identifiers are completley unique to the individual. As an individual, you can easily activate biometric functionalities already available on your devices and use them for authentication purposes.
There is no silver bullet for cybersecurity — it takes a strong mix of technology and security best practices to protect yourself and your organization in the digital era. The FBI’s guidelines around MFA and common-sense biometrics applications are spot on — as both are integral components of a multi-layered security approach. (This is sometimes referred to as Zero Trust for enterprise organizations).
Don’t wait until it’s too late. Take action this Cybersecurity Awareness Month and “Secure It” by applying these important layers of security to your devices and online accounts.