...something you know, something you are

These are the three most common factors used to authenticate (prove who you are) to a system. You may have heard it called Multi Factor Authentication (MFA), or Two Factor Authentication (2FA). These terms tend to get used interchangeably, but 2FA means two factors are used, and MFA means two or more factors are used. 2FA is MFA but MFA isn't always 2FA.

Three common factors, but they're not created equally.

Case Study: a spreadsheet at the heart of the business

This story starts with a customer of ours (who has chosen to remain anonymous) this customer runs their entire business off a single spreadsheet. They're a two-man show that deals in high value hardware, so they're holding slow moving but expensive stock. What started as a simple way to track things in a way that best reflects their workflow has grown to be the beating heart of their business. Where some may see "just a spreadsheet", they see a custom piece of software that does everything: tracking, forecasts, reporting, you name it.

Over the years this spreadsheet has grown to the point where no off-she-shelf solution will meet their needs. Custom development is too expensive so the spreadsheet is here to stay.

As a two-man business, they leverage Microsoft 365 to host their spreadsheet centrally and enable real-time collaboration. It's elegant simplicity, but this is where a brief observation after a security assessment (yes, done by AFSecure) called out the Achilles heel to this setup. An account compromise or unauthorised editing / access / deletion of their spreadsheet could end their business overnight. Backups may be a solution to deletion, but they don't protect business secrets, they don't rebuild lost data between the backups (and accordingly, missed regulatory reporting obligations) and they don't prevent undetected data changes that could come from unauthorised access. A better solution was needed, but before diving into the solution, let's explore our options.

something you know

This is the authentication factor everyone reading this post uses every day. You must prove who you are by demonstrating you know something. Yes we're talking a password or a PIN. It's like the digital equivalent of knowing the secret word to get into your friend's cubby house.

I'll digress here for a moment, a PIN is rarely used by itself and is often combined with another factor. We'll delve into that later.

The problem with passwords, especially when used as the sole method of verifying your identity (single-factor authentication), is that they're inherently weak - they're weak for a multitude of reasons, if you use only passwords you must get familiar with this list and reconsider how you protect your accounts:

• Human Factor - Predictability and Re-use:

  • Easy-to-guess passwords: People often choose passwords that are simple to remember, such as "password123," "123456," birthdates, pet names, or common words. These are trivial for attackers to guess or crack using automated tools.
  • Password reuse: Many individuals use the same or similar passwords across multiple accounts. If one account is breached, all other accounts using that same password become vulnerable. Put your hand up if your current password is footballteam3 because your previous one that expired was footballteam2.
  • Lack of complexity: Users often avoid creating truly complex passwords (long strings of random characters, numbers, and symbols) because they are difficult to remember.

• Brute-Force and Dictionary Attacks:

  • Brute-force attacks: Attackers use software to systematically try every possible combination of characters until the correct password is found. While this can take time, shorter and simpler passwords fall quickly. Of course as systems become faster, so does it become faster to try every possible combination.
  • Dictionary attacks: These attacks use lists of common words, phrases, and previously breached passwords to try and guess the password. This is highly effective against non-complex passwords.

• Phishing and Social Engineering:

  • Phishing: Attackers create fake login pages or send deceptive emails/messages to trick users into voluntarily revealing their passwords.
  • Social engineering: Manipulative tactics are used to persuade individuals to disclose their login credentials, often by impersonating trusted entities or creating a sense of urgency.

• Malware and Keyloggers:

  • Keyloggers: Malicious software can record every keystroke a user makes, including passwords, and send this information to an attacker.
  • Spyware/Trojans: Other forms of malware can steal password files stored on a computer or intercept credentials as they are transmitted.

• Data Breaches:

  • Third-party vulnerabilities: Even if you choose a strong password, the service or website where you have an account can suffer a data breach. If they store passwords insecurely (e.g., unencrypted or weakly hashed), your password can be exposed.
  • Credential stuffing: Once passwords are stolen in a breach, attackers use automated tools to try those compromised credentials on many other websites, exploiting password reuse. I'll shout out Have I Been Pwned here, if you're not familiar with it, it's a service that will look if your email shows up in public data breaches. A great way to know how exposed you potentially are.

• Insider Threats:

  • Disgruntled employees or individuals with legitimate access can misuse their privileges to steal or expose passwords and other sensitive data.

• Shoulder Surfing and Physical Observation:

  • Simply looking over someone's shoulder as they type their password or finding passwords written down on sticky notes are low-tech but still effective ways to compromise credentials.

• Weak Hashing and Storage Practices (by services):

  • If online services don't use strong, modern hashing algorithms (with salting) to store user passwords, breached password databases are much easier for attackers to crack and convert back into plain text. Again, this takes us back to data breaches and Have I Been Pwned.

Why Single-Factor Authentication ("SFA") is Particularly Weak:

Using only a password (SFA) means that if that single line of defense is compromised, the attacker gains full access. There are no other checks or balances to verify the user's identity. This makes it a single point of failure. Multi-Factor Authentication (MFA), by contrast, requires two or more different types of verification (e.g., something you know like a password, something you have like a phone app authenticator, or something you are like a fingerprint), making it significantly harder for attackers to gain unauthorized access even if they manage to steal one factor.

something you are

Fingerprint, iris scan, hand print, it's all very espionage thriller but the reality is different. Bio-metric factors effectively rely upon something that's unique to you and that makes them dangerous when handled incorrectly. Bio-metrics may feel like the ultimate security tool, but if your fingerprint or iris scan gets compromised (stolen) unlike a password you can't change it, it's gone forever. A strong method of proving who you are but the absolute worst case scenario if it gets out.

So when you use your fingerprint or face ID to log in, you're not really logging on bio-metrically or at least not the way you may imagine it. All your bio-metric data stays on the phone and never leaves it. Instead you're actually unlocking another factor - the phone itself...

something you have

OK... let's resolve the phone discussed above before we move on. Imagine you are trying to access your email on your phone. While setting up your email you have provided your login details and now your email provider trusts your phone (something you have). That's great, except your phone needs to know it is being operated by its owner so you enroll some information into it perhaps it's a PIN (something you know) or a bio-metric (something you are). When you pick up the phone you're half way there because you're holding the phone (something you have) so the moment you provide your PIN or bio-metric you have finished authenticating to the phone. Your phone in turn can access your email.

With that little explainer in mind, let's explore some common something you have factors, they're not all created equally so we've tried to explain how they work and some examples of their potential weaknesses.

• Physical Security Tokens (Hardware Tokens):
  • Examples: YubiKey, Google Titan Security Key, other FIDO2-compliant keys.
  • How they work: These are small, portable hardware devices that you typically plug into a USB port, tap via NFC (Near Field Communication), or connect via Bluetooth.
  • Mechanisms:
    • One-Time Passwords (OTP): Some tokens (like YubiKeys in OTP mode) can generate a unique, time-sensitive or counter-based code when a button is pressed or the device is activated. This code is then entered by the user.
    • Challenge-Response (e.g., FIDO2/U2F): More advanced tokens use public-key cryptography. The service sends a challenge, and the token, upon user interaction (like a touch), cryptographically signs the challenge with a private key stored securely on the token. The service then verifies this with a corresponding public key. The private key never leaves the token. _If you want to get into the weeds on this one, look up the Diffie-Hellman key exchange, it's well beyond the scope of this post but explains what's happening under the hood of a FIDO2 key exchange and why this standard rocks._
  • Weaknesses:
    • Loss or Theft: If the physical token is lost or stolen, you might lose access to your accounts unless you have backup methods. The token itself, especially FIDO2 ones, remains secure and doesn't leak secrets.
    • Damage: Physical damage can render the token unusable.
    • Cost: There's an upfront cost to purchase these tokens.
    • Usability/Portability: Requires carrying an additional item. Remembering to have it and using it (plugging in/tapping) can be a minor inconvenience for some.
    • Service Support: While adoption of FIDO2 is growing rapidly, not all online services support hardware security keys as an authentication method. OTP support is more widespread but less secure against phishing.
    • Targeted Physical Coercion: In extreme, highly targeted scenarios, an attacker could attempt to physically coerce a user into using their token.

• OTP Authenticator Apps (Software Tokens on a Smartphone/Device):

  • Examples: Google Authenticator, Microsoft Authenticator, Authy, Duo Mobile.
  • How they work: These apps are installed on your smartphone or another device. During setup, they are linked to your online accounts (usually by scanning a QR code containing a shared secret).
  • Mechanisms:
    • Time-based One-Time Passwords (TOTP): The app and the service's server share a secret key. Both use this key and the current time to independently generate the same short-lived (e.g., 30-60 seconds) numeric code.
    • Counter-based One-Time Passwords (HOTP): The code changes based on a counter that increments with each new code generation (less common for user-facing logins).
  • Weaknesses:
    • Device Compromise: If the smartphone hosting the app is compromised by sophisticated malware, it's theoretically possible for OTP codes or the underlying secrets to be stolen. However, modern phone operating systems and well-designed authenticator apps have protections against this.
    • Phishing for Codes: Users can still be tricked by convincing fake websites (phishing) into manually entering the 6-digit OTP code. The attacker can then immediately use this code. This is a significant weakness compared to FIDO2 hardware tokens which are phishing-resistant.
    • Device Loss/Theft: If the phone is lost or stolen and not adequately secured (e.g., strong PIN/biometrics), an attacker gaining access to the unlocked phone could potentially access the authenticator app.
    • Backup and Transfer Complexity: Securely backing up and transferring authenticator app setups to a new device can sometimes be complex for non-technical users, potentially leading to loss of access if not done correctly.
    • Annoyance: Punching in these 6 digit codes as they count down, flicking between screens especially on mobile is just a pain.

• Push Notifications for Authentication:

  • Examples: Microsoft Authenticator (for Microsoft accounts), Duo Mobile, Google Prompts.
  • How they work: Instead of entering a code, the service sends a notification directly to a registered and trusted device (usually a smartphone). The user then simply taps "Approve" or "Deny" on the notification. Some systems may also show contextual information like location or the requesting application.
  • Weaknesses:
    • MFA Fatigue / Push Bombing: Attackers can repeatedly send login requests, hoping the user will become annoyed or complacent and approve a malicious prompt just to make the notifications stop.
    • User Inattention: Users might approve prompts without carefully verifying the details (e.g., location, application) presented in the notification, especially if they are busy or distracted.
    • Device Compromise: If the device receiving the push notification is compromised by malware, an attacker could potentially intercept or automatically approve these prompts.
    • Network Dependency: Requires an active internet connection on both the device initiating the login and the device receiving the push notification.
    • No "Proof of Presence" for the Service: While the user interacts with their phone, the service primarily trusts that the approval from the registered device is legitimate. Less sophisticated push systems might be more vulnerable to MitM if they don't verify the origin of the request rigorously.

• SMS or Email Based One-Time Passcodes:
  • How they work: A service sends a short, temporary code via SMS text message to your registered phone number or via email to your registered email address. You then enter this code to complete authentication.
  • Weaknesses:
    • SIM Swapping/Porting Attacks: Attackers can trick mobile carriers into transferring your phone number to a SIM card they control, allowing them to intercept your SMS codes. This is a significant and common vulnerability.
    • Email Account Compromise: If your email account (which receives the codes) is hacked, the attacker gains access to your second factor.
    • Interception of SMS/Email: SMS messages are not end-to-end encrypted and can be intercepted through various means (e.g., flaws in the SS7 telephony protocol, malware on the phone). Emails can also be intercepted if not transmitted securely or if mail servers are compromised.
    • Phishing: Users are frequently targeted by phishing attacks trying to trick them into revealing these codes on fake websites.
    • Delayed Delivery/Reliability: Delivery of SMS or email can be unreliable or delayed, leading to login difficulties and user frustration.
    • Generally Considered Weakest "Something You Have": Due to the points above, SMS and email OTPs are often considered the least secure method of "something you have" and many security professionals advise against their use if stronger alternatives are available.

In short, the absolute strongest something you have factor (at least in this list and at the time of writing) is FIDO2-based physical security tokens. And with that out of the way - let's turn back to our customer story.

Case Study: back to that spreadsheet

So our customer needed a solution. They needed something secure but they also needed it to be as convenient as their current "grab a laptop and off you go" workflow.

This is where AFSecure stepped in.

Luckily both partners always carry their keys.

We worked with our customer to deploy physical FIDO2 security tokens, specifically the TrustKey T120, this option made sense as the tokens are readily available in Australia and low cost compared to other options. From a convenience perspective the T120 model has a USB-C interface and our customer uses exclusively macbooks so we could avoid dongles and adapters.

The deployment relied upon 3 security keys for each business partner:

• one to keep on themselves (as a keyring).
• one (each) to put in the business' safe.
• one to store safely at home.

This solution enabled the customer to have a high degree of confidence that their accounts are secure and a high degree of confidence that they're unlikely to lose their security token and be locked out of their accounts.

Bonus Case Study: what does AFSecure do

We eat our own dog food of course.

As a business that handles the security of others, we take our own security very seriously so we also use hardware security tokens. In our instance it's a combination of Yubikeys and TrustKeys.

To give a personal example, I (Alex) have a Yubikey on each of my two sets of keys and a TrustKey locked in my safe at home. These are used to provide 2FA for our Google Workspaces accounts that run the business and our password vaults. Wherever possible we use Google logins for other services to avoid account sprawl. Where we must create unique logins to services, these are stored in our password vault with a unique, long & complex password and MFA enabled.

Hardware tokens are something that we just can't recommend strongly enough.

A big thank you to our customer for permitting us to discuss their MFA deployment for this post.

If you need assistance developing your business' authentication strategy or just need your MFA roll-out to go smoothly, you can always reach out to AFSecure for help.