Why multi-factor authentication is so important

Recently, a mobile app called “Timehop” announced that they suffered a security breach last December. A hacker managed to gain access to their systems and stole user information. This information contained usernames, emails, telephone numbers and most importantly access keys to their social services like Facebook, Twitter, Instagram etc.

Timehop is an app that dredges up old social media posts for a given day from years past.

Not all of the users had email addresses, phone numbers or real names associated with their account, but all had access keys that were authorized to interact with the relevant social media services. Timehop said it de-authenticated all accounts so that the hackers would not be able to use the keys to retrieve any data.

The hacker managed to gain access to an admin account that was not secured by multi-factor authentication – a mistake made by many companies in the past and most recently also the folly of Deloitte – one of the world’s “big four” accounting firms.

In Timehop’s case, the attacker gained access on four separate occasions in December, 2017, and then again in March and June 2018. These initial intrusions were purely for reconnaissance and remained undetected until the 4th of July 2018 when the hacker tried to exfiltrate data from the company. The attack was detected and access was cut off two hours and nineteen minutes later.

Multi-factor authentication is defined as “something you know” – like your password and “something you have” – like an authentication key. Such keys have been used by security company RSA for many years, but never really found mainstream acceptance for many reasons. One being that is was fairly expensive and had to be sourced, configured and distributed. The key contained a code that changed on a regular basis and was synchronised with the resource that the user was trying to access.

Having two passwords associated with an account, with one that cannot be easily stolen, makes it very difficult to hack.

In recent years, the need for tighter security on services and the explosion of sensitive information held by these services has led to a boom in hacks. This has resulted in a greater need to protect access.

Initially, the cheaper and more convenient alternative of having to carry a physical key, was for the secure service to send a user an OTP (One Time Pin). This was effectively generated when the user tried to log in and was sent via an alternate channel, such as email or SMS (text message). However, this is not as secure as it could be as cellular-provider staff colluded with hackers to gain control over a target’s cell phone to intercept the pin codes.

As smart phones became more popular, applications (such as Google’s Authenticator amongst others) were being developed. In other words, the “something you have” is now an app running on your mobile phone. A login now requires a username, password, and a code generated from the application. When a secure login is required, a user is then prompted to accept or reject on their phone.

As computers increased in power, the ability to crack passwords became a lot easier. This has resulted in users being required to memorise longer and more complex passwords. They have also been advised not to reuse passwords across multiple resources. If one resource is compromised, it is easy to compromise the others as well. With the proliferation of online services, the need to remember numerous passwords has become routine. It becomes highly probably that password reuse occurs, or patterns form.

With multi-factor authentication, there is no need to remember long, complex, unique passwords that have to change on a regular basis. However, it does require a person to have their mobile phone handy, but this is hardly an inconvenience in today’s always-connected world.

So, turn on multi-factor authentication:

  • it could save your valuable personal information,
  • it could save your reputation,
  • it could save your job,
  • it could save your company,
  • and it could save innocent third parties.

The following two tabs change content below.

Andrew Smith

Andrew is a senior systems-engineer with over 20 years experience in corporate and small business environments. This includes consulting for large ICT service providers. He has supported systems at every level in the organization, including infrastructure, operating systems, applications, and perimeter protection. He also collaborates with software development teams on web, database, and infrastructure security. Andrew has co-founded multiple ICT businesses, where he advises on cybersecurity strategies and policies. Andrew has a 3-year National Diploma in Electronics (light current).

Latest posts by Andrew Smith (see all)