Multifactor Authentication

Categorized in: Product development | No Comments

Multifactor AuthenticationMultifactor Authentication (MFA). Enabling it is the single biggest thing you can do to ensure the security of any online account. If you have shied away from using it before, hopefully this article can impress upon you the problem it solves, how effective it can be, and just how simple it is to use.

Authentication Basics

When accessing any online account, we typically use a username and password. By providing a username, an individual is effectively making a declaration about their identity by saying, “This is who I am.” The password is how one proves that they really are that identity since it is something that only the true identity owner should know. While this can work adequately well it is not without some weaknesses.

The Vulnerability

A password that can be easily guessed makes it easy for an attacker to simply login as someone else if they guess correctly. Guessing does not mean a human sitting at a computer making wild guesses out of the blue, but rather, automated programs that might work their way through the dictionary in what we call a dictionary attack until it succeeds at logging into an account as someone else. A brute-force attack is another variation of this type of password guessing.

Guessing a password is reduced to nearly impossible by very simply using a strong password. Strong in this context means a lengthy string of random characters including upper- and lower-case letters, numbers and special characters. Skypunch takes the matter of strong passwords so seriously that it generates account passwords for clients that would take an estimated trillion years to crack–far surpassing what is recommended in NIST 800-63B. So if passwords can be made strong enough that they are no longer vulnerable to attack in any practical sense, why bother with adding another layer of security like multifactor authentication? Because guessing a password is not the only thing that leaves the username/password model of authentication vulnerable. An attacker may not even have to guess if they can acquire a password through some other means. Surely everyone knows not to write a password down on a sticky note and paste it to the front of your computer, but a well-executed phishing attack is one way a would-be attacker could acquire your username and password.

The Solution

This is where multifactor authentication comes in. If the password from the scenario described above is the first factor, multifactor simply means a user must provide at least one other factor to prove their identity. This could be a fingerprint, retina scan, facial recognition–all examples of something you are–or in the case of logging in at Skypunch, it could be something you have, such as a smartphone with a third-party authenticator app installed that generates six-digit, one-time passwords every 30 seconds. Even if an attacker manages to acquire your password, he is still unable to log in to your account unless also able to steal your phone at the same time. Given the unlikelihood of that, the simple act of enabling MFA vastly increases the security of your account.

The solution is so effective that its use is mandatory for public sector accounts at Skypunch since those accounts are used for what could be considered higher stakes elections. While it is optional for private sector accounts, owners of those accounts are strongly encouraged to take a cue from their public sector counterparts and choose to enable MFA as well.

Enabling Multifactor Authentication

As stated above, MFA at Skypunch is enabled by using one of the free third-party authenticator apps on a smartphone such as Google Authenticator or Authy. Just visit the app store for your device, whether that be an Android or an iPhone, and install the app of your choice. Once you have done that, log in to your account in the usual fashion and then go to My Info and click the link to enable MFA. You will be prompted to scan a QR code using the third-party authenticator and that’s all there is to it. From that point on, when you log in to your account, you will go through the usual step of providing your username and password, but before making it to your account welcome screen you’ll be prompted to provide the six-digit, one-time password (OTP) provided by your authenticator app. One special note, OTPs are time-based and depend on both your smartphone and the web server having their clocks synced. A slight time difference can on rare occasions mean that your first attempt at providing the one-time password does not actually work. The OTPs rotate every 30 seconds, so just try again with a new OTP and all will be fine.

Transferring Account Ownership

In the case of Skypunch Technology, client accounts are not owned by individuals, but by organizations. When the point of contact associated with an account moves on and needs to transfer the login data to someone else, that will mean transferring the MFA secret as well for accounts where MFA is enabled. For this reason, when enabling MFA on an account, you are provided the opportunity to print out the QR code. This printout will also prove invaluable in the case of a lost phone that needs to be replaced with a new phone and a rescan of the QR code. This printout should be stored in a safe accessible only to authorized personnel so that when a new point of contact takes over an account, he or she may scan that QR code using a third-party authenticator on their smartphone. This, along with the username and password for the account, is all the new point of contact needs to access the account the first time. After logging into the account, the new point of contact should take time to:

  1. change the username, which at Skypunch is the point of contact’s email address.
  2. generate a new password.
  3. disable and re-enable MFA so as to generate a new QR code.

These steps ensure the previous point of contact has no access to the account.