Oxford's oldest student newspaper

Independent since 1920

Multi-factor authentication – why it’s more than just extra effort

Jennivine Chen discusses the nuances of multi-factor authentication in anticipation of Oxford's deployment of it onto SSO.

“Action-required; multi-factor authentication will be deployed on your Oxford SSO account soon.”

Multi-factor authentication (MFA) – a phrase we have no doubt read multiple times over the past few weeks. But apart from just being ‘extra effort’ to logging in each time, what is the effect of having MFA on our accounts?

Passwords are easy to crack

First, let’s take a trip down memory lane. When the web first started, the most popular password of all times was ‘12345’, and ever since the 1990s, we have been following the same patterns when it comes to creating passwords. Studies have shown that a staggering 59% of people use the same password everywhere, and regardless of this, roughly 90% of passwords can be cracked in less than 6 hours. But how exactly does one ‘crack’ a password? 

1. Phishing links

The most obvious attack strategy is by phishing. The attacker pretends to be a well-trusted source and sends a link to a fallacious website, where the user can enter in their username and password. Thankfully, a study done by Duo Security on user behaviours showed that only 5% of users fall for these phishing links, with results improving every year. But just as users improve, hackers have changed their main methods too.  

2. Dictionary and brute-force attacks

In a dictionary attack, a software will systematically enter words that can be found in a dictionary to guess a user’s password. In a brute-force attack, cyber criminals use softwares to try and guess every possible combination of characters – not just dictionary words – starting from the most commonly used passwords, then moving on to more complex sentences. For longer passwords, brute-force attacks take a significantly longer time than dictionary attacks, which is why you’re often reminded not to use ‘real’ words in your passwords.

3. Credential stuffing

In addition, using the fact that you have probably reused some passwords across different websites, hackers trying to get access into your sensitive data may start on the less well-protected sites. Once your credentials are obtained on one platform from a data breach, it will be used to attempt log-ins on other platforms (by ‘credential stuffing’).

4. Man in the Middle

More dangerous methods include ‘keylogger’ – where a virus infiltrates the user’s computer and captures every keystroke, including sites visited, usernames, and passwords and more. Have you ever been told not to enter sensitive information on public WiFi? Here’s why. Disguised as a public-WiFI access point, the attacker’s program tries to insert itself into the interaction between the user and an app  Using this ‘Man in the Middle’ attack strategy, the attacker is able to gather all communications and login credentials that the user enters into the app. 

How Multi-factor-authentication works
This is where the importance of multi-factor authentications becomes evident. Instead of just using one method of authentication, MFA requires at least two factors to prove the users identity from a combination of these elements below, so that the attacker won’t be able to gain access to the user’s account even if they’ve cracked the user’s passcode!

  • Knowledge (something only the user knows): answers to personal security questions; the users’ password
  • Possession (something only the user has): one-time passcodes sent by text or email, or generated via smartphone apps; physical or software security tokens 
  • Inherence (something only the user is): fingerprints; facial recognition; other biometrics

The future of Multi-Factor Authentication
Increasingly with more firms and companies adapting to a remote working environment, the need for data security has prompted a rise in MFA roll-out. Yet it is worth noting that MFA is not only a product of the digital age. When you withdraw money at the ATM, both your bank card (possession) and your PIN (knowledge) is required. Looking ahead, some technology firms are looking into AI-based algorithms that analyse the users’ typing biometric as a second way of authentication, by matching patterns on how people type on their keyboards. Google is reportedly starting to do something similar, analysing things such as subtle mouse movements on webpages to decide if the user is human or robot, but its still unclear to what extent it is useful. Until that day that we do know, we will have to live content with an extra step of login effort, and feel safe with the knowledge that it won’t be likely for malicious attackers to get access to our sensitive information (read: browser search history that includes ‘fun facts about MFA’).

Image credit: Austin Distel on Unsplash

Check out our other content

Most Popular Articles