Published on 23 Mar 2023 | Updated on 23 Mar 2023
As cyber-attacks become more prevalent and sophisticated, relying solely on passwords to secure users’ online accounts may no longer be sufficient. Usernames and passwords are vulnerable to a variety of attack methods, including phishing, keylogging, and credential leaks. It is crucial to add an extra layer(s) of protection through the use of multi-factor authentication (MFA) to minimise the risk of unauthorised access to users’ online accounts.
MFA is an authentication method that requires users to provide two or more forms of identification before access is granted. Enabling MFA provides additional safeguards to users' online accounts. For instance, accounts with two-factor authentication (2FA) enabled are more secure as threat actors with access to compromised account credentials will not be able to access the account without the second factor of authentication. However, users should also note that not all forms of authentication are created equal and that certain types of MFA may be more vulnerable to compromise compared to others.
Types of Multi-Factor Authentication
There are several types of MFA that leverages what users have and what users are. The most common types are:
SMS-based authentication generates One-Time Passwords (OTPs) (i.e., numeric and alphanumeric codes) which are sent via SMS to the user's registered mobile number. SMS OTPs are typically combined with passwords to provide 2FA, which requires users to provide something they know (their password) and something they have (mobile phone).
Biometrics authentication uses the biological (i.e. fingerprints, facial features, iris patterns) or behavioural characteristics (i.e. voice patterns, signature dynamics, and keystroke patterns) of an individual to verify user identity. As biometric data is unique to each individual, it is typically combined with passwords to provide 2FA as an additional layer of security, which requires users to provide something they know (their password) and something they are (biometric).
Application-based authentication uses authenticator apps to generate OTPs that can be used for 2FA. Popular authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy. Authenticator apps are typically combined with passwords to provide 2FA, which requires users to provide something they know (their password) and something they have (the authenticator app).
How Various Multi-Factor Authenticators Work
How SMS-based Authentication Works
When a user enables SMS-based authentication, the user will register a mobile number that is tagged to their account. SMS-based OTPs are typically valid for a limited period, typically 3 minutes, after which it expires and cannot be used again. When the user wants to log in to their accounts, the system will generate an OTP and sends it to the registered phone number via SMS. The system then verifies the OTP and grants access to the account if they match.
How Biometric Authentication Works
When a user enables biometric authentication, the user will be required to enrol their biometric data into the system by capturing and storing their unique physical or behavioral traits in a digital format. This data can include fingerprint scans, facial recognition, iris recognition, or voice recognition.
When the user wants to log in to their account, their biometric data is then used to verify the identity of the user by comparing the data against a list of existing users whose biometric data have been registered in the system. If the biometric data matches, the user is granted access.
How Application-based Authentication Works
When a user enables 2FA involving an authenticator app on their account, the user will typically be asked to scan a Quick Response (QR) code or enter a secret key provided by the service into their authenticator app.
Once the secret key has been entered, the authenticator app uses an algorithm, such as Time-based One-Time Password (TOTP) or HMAC-based One-Time Password (HOTP), to generate a unique OTP that remains valid for a specific time window, typically 30 seconds, before changing. The algorithm takes into account the secret key known only to the user and the app, and the current time to generate the OTP.
When the user wants to log in to their account, they will be prompted to enter the OTP generated by their authenticator app after their regular password has been validated. The service will then compare the input by the user with the one generated by the authenticator app. If the OTPs match, the user is granted access to their account.
Authenticator Application or Biometrics vs SMS-based 2FA
SMS-based 2FA works by sending an OTP to a user's mobile phone via text message. The user must enter this OTP into the online service to complete the authentication process. While the use of SMS-based 2FA provides an additional authentication process, it is not as secure as authenticator apps or biometrics as SMS could be susceptible to:
SIM Swapping can be used by threat actors to obtain phone numbers through data leaks, public records, or social engineering, then bribe or trick an employee of a service provider to port the number to a duplicate SIM card they control. This enables them to receive users' SMS verification OTP and gain illegal access into related online accounts.
SMS Phishing (Smishing) can be used by threat actors to intercept users' SMS messages and steal verification OTP to gain access to their various online accounts.
Authenticator apps and biometrics offer a higher level of security compared to other authentication methods like SMS-based 2FA. Authenticator apps generate OTPs locally on the user's device, making it more difficult for threat actors to intercept the OTPs. Even if an OTP was obtained by a threat actor, it would quickly become unusable as the OTP changes every 30 seconds. Similarly, biometrics relies on the unique biological traits of an individual, making it difficult to replicate.
Users are advised to practice good cyber hygiene by using a strong password and select the most secure 2FA method to protect their online account.
Users can refer to SingCERT's advisory for more information on how to protect their online accounts at https://www.csa.gov.sg/alerts-advisories/Advisories/2022/ad-2022-008.