How To Protect Yourself With A More Secure Kind Of Multi-Factor Authentication

There are galore ways to amended your information with multi-factor authentication, but immoderate kinds connection much extortion from hacking and tracking.

This is an sentiment editorial by Heidi Porter, an entrepreneur with 35 years successful technology.

User Security

In erstwhile articles astir security and data breaches, we discussed the request for multi-factor authentication (MFA) connected your Bitcoin accounts and immoderate different accounts you privation to protect.

Hacks volition proceed to hap wherever your relationship is compromised oregon radical are sent to a nefarious tract and accidentally download malware alternatively of verified software.

This volition beryllium the archetypal successful a bid of articles astir much resilient idiosyncratic information for your accounts, nodes and apps. We’ll besides screen amended email options, amended passwords and amended usage of a virtual backstage web (VPN).

The world is that you’ll ne'er beryllium wholly unafraid successful immoderate of your online fiscal transactions successful immoderate system. However, you tin instrumentality a much resilient toolset and champion practices for stronger security.

What Is Multi-Factor Authentication And Why Do I Care?

(Source)

According to the Cybersecurity and Infrastructure Security Agency, “Multi-factor authentication is simply a layered attack to securing information and applications wherever a strategy requires a idiosyncratic to contiguous a operation of 2 oregon much credentials to verify a user’s individuality for login.”

When we log into an online account, we’re often aiming to thwart an attacker oregon hacker utilizing other layers of verification — oregon locks.

Compared to your ain home, aggregate locks springiness much security. If 1 signifier of authentication is good, specified arsenic a password, past 2 forms (aka MFA) tin beryllium better.

Note that biometric authentication is single-factor authentication. It’s conscionable the biometric of immoderate modality you’re using: thumb, iris, look recognition, etc. If you usage 1 hardware cardinal without a passphrase, that is besides single-factor authentication.

Where Should I Use MFA And What Kind Of MFA?

With MFA, you indispensable person astatine slightest 2 authentication mechanisms.

At a minimum, you should person MFA acceptable up for your:

• Bitcoin exchanges (but get your funds disconnected them ASAP aft buying).
• Bitcoin nodes and miners.
• Bitcoin and Lightning wallets.
• Lightning apps, specified arsenic RTL oregon Thunderhub.
• Cloud providers, specified arsenic Voltage accounts.

Note: Each relationship oregon exertion needs to enactment the benignant of MFA that you are utilizing and you indispensable registry the MFA with the relationship oregon application.

MFA providers often see little unafraid options specified as:

• SMS substance messaging.
• One-time password.
• Mobile push-based authentication (more unafraid if managed properly).
  

MFA providers sometimes besides see much unafraid options specified as:

• Authenticator apps.
• Hardware keys.
• Smart cards.

Guess what benignant of MFA astir bequest fiscal institutions use? It’s usually 1 of the little unafraid MFA options. That said, authenticator apps and hardware keys for MFA are not each created equal.

MFA And Marketing Misinformation

First, let’s speech astir the selling of MFA. If your MFA supplier touts itself arsenic unhackable oregon 99% unhackable, they are spouting multi-factor B.S. and you should find different provider. All MFA is hackable. The extremity is to person a little hackable, much phishing resistant, much resilient MFA.

Registering a telephone fig leaves the MFA susceptible to SIM-swapping. If your MFA does not person a bully backup mechanism, past that MFA enactment is susceptible to loss.

Some MFA is much hackable.

Some MFA is much trackable.

Some MFA is much oregon little capable to beryllium backed up.

Some MFA is much oregon little accessible successful immoderate environments.

Less Hackable and Trackable MFA

Multi-factor authentication is much securely accomplished with an authenticator app, astute paper oregon hardware key, similar a Yubikey.

So if you person an app-based oregon hardware MFA, you’re good, right? Well, no. Even if you are utilizing app-based oregon hardware MFA, not each authenticator apps and hardware devices are created equal. Let’s look astatine immoderate of the astir fashionable authenticator apps and immoderate of their vulnerabilities with tracking, hacking and backing up.

• Twilio Authy requires your telephone number, which could unfastened you up to compromise via SIM-card-swap. Initial setup is SMS.
• Microsoft Authenticator doesn’t necessitate a telephone number, but can’t transportation to Android arsenic it is backed up to iCloud.
• Google Authenticator besides doesn’t necessitate a telephone number, but does not person online backup and is lone capable to transportation from 1 telephone to another.

In addition, each of these apps are considered by immoderate to beryllium little resilient and unfastened to phishing oregon man-in-the-middle (MITM) attacks.

How Your Accounts And Finances Can Be Compromised

“People should usage phishing-resistant MFA whenever they tin to support invaluable information and systems” – Roger A. Grimes, cybersecurity adept and writer of “Hacking Multifactor Authentication”

Just similar galore fiscal and information companies, Bitcoin companies person been the people of aggregate information breaches wherever attackers person obtained email addresses and telephone numbers of customers.

Even without these breaches, it’s not particularly hard to find someone’s email addresses and telephone numbers (as mentioned successful erstwhile articles, champion signifier is to usage a abstracted email and telephone fig for your Bitcoin accounts).

With these emails, attackers tin execute phishing attacks and intercept the login credentials: some password and multi-factor authentication you person utilized arsenic a 2nd authentication origin for immoderate of your accounts.

Let’s instrumentality a look astatine a emblematic MITM phishing onslaught process:

1. You click a nexus (or scan a QR code) and you are sent to a tract that looks precise akin to the morganatic tract you privation to access.
2. You benignant successful your login credentials and past are prompted for your MFA code, which you benignant in.
3. The attacker past captures the entree league token for palmy authentication to the morganatic site. You mightiness adjacent beryllium directed to the valid tract and ne'er cognize that you person been hacked (note that the league token is usually lone bully for that 1 session).
4. Attacker past has entree to your account.

As an aside, beryllium definite you person MFA attached to withdrawals connected a wallet oregon exchange. Convenience is the force of security.

Phishing-Resistant MFA

To beryllium resistant to phishing, your MFA should beryllium an Authenticator Assurance Level 3 (AAL3) solution. AAL3 introduces respective caller requirements beyond AAL2, the astir important being the usage of a hardware-based authenticator. There are respective further authentication characteristics that are required:

• Verifier impersonation resistance.
• Verifier compromise resistance.
• Authentication intent.

Fast Identity Online 2 (FIDO2) and FIDO U2F are AAL3 solutions. Going into the details astir the antithetic FIDO standards are beyond the scope of this article, but you tin work a spot astir it astatine “Your Complete Guide to FIDO, FIDO2 and WebAuthn.” Roger Grimes recommended the pursuing AAL3-level MFA providers successful March 2022 successful his LinkedIn nonfiction “My List of Good Strong MFA.”

MFA Hardware Keys And Smart Cards

Hardware keys, similar Yubikey, are little hackable forms of MFA. Instead of a generated codification that you enter, you property a fastener connected your hardware cardinal to authenticate. The hardware cardinal has a unsocial codification that is utilized to make codes to corroborate your individuality arsenic a 2nd origin of authentication.

There are 2 caveats for hardware keys:

• Your app needs to enactment hardware keys.
• You tin suffer oregon harm your hardware key. Many services bash let you to configure much than 1 hardware key. If you suffer the usage of one, you tin usage the spare.

Smart cards are different signifier of MFA with akin phishing resistance. We won’t get into the details present arsenic they look to beryllium little apt to beryllium utilized for Bitcoin oregon Lightning-related MFA.

Mobile: Restricted Spaces Require Hardware Devices

Another information for multi-factor authentication is whether you would ever beryllium successful a concern wherever you request MFA and cannot usage a compartment telephone oregon smartphone.

There are 2 large reasons this could hap for bitcoin users:

• Low oregon nary compartment coverage
• You don’t person oregon can’t usage a smartphone

There tin beryllium different restrictions connected compartment telephone usage owed to customer-facing enactment environments oregon idiosyncratic preference. Call centers, K-12 schools oregon high-security environments similar probe and improvement labs are immoderate areas wherever phones are restricted and you would truthful beryllium incapable to usage your telephone authenticator app.

In these peculiar cases wherever you are utilizing a machine and don’t person a smartphone, you would past request a astute paper oregon hardware cardinal for MFA. You would besides request your exertion to enactment these hardware options.

Also, if you cannot usage your cellphone astatine work, however are you expected to stack sats successful the restroom connected your break?

Toward More Resilient MFA

MFA tin beryllium hacked and your accounts tin beryllium compromised. However, you tin amended support yourself with much resilient and phishing-resistant MFA. You tin besides take MFA that is not tied to your telephone fig and has an capable back-up mechanics oregon quality to person a spare key.

Ongoing defence against cyber attacks is simply a continuing crippled of cat-and-mouse, oregon whack-a-mole. Your extremity should beryllium to go little hackable and little trackable.

Additional Resources:

• “Multi-Factor Authentication”
• “Digital Identity Guidelines”
• “Don’t Use Easily Phishable MFA and That’s Most MFA”
• “Hacks That Bypass Multi-Factor Authentication and How to Make Your MFA Solution Phishing Resistant”
• “Best practices for securing mobile-restricted environments with MFA”

This is simply a impermanent station by Heidi Porter. Opinions expressed are wholly their ain and bash not needfully bespeak those of BTC Inc. oregon Bitcoin Magazine.