Governments want businesses to use “complex” multi-factor authentication
BUSINESSES that are concerned about cybersecurity tend to rely on multi-factor authentication to keep applications safe — however, a new notice issued by the FBI tells businesses to be more cautious.
Multi-factor authentication is basically the use of “factors” other than a username and a password, to authenticate users on an application or network.
It’s expected to be more secure simply because gaining access to the third item in the list of credentials is hard — usually locked to a mobile device that receives a one time password (OTP) or a physical token.
However, the FBI has found that hackers have been exploiting vulnerabilities in simple multi-factor authentication systems since 2016 — where social-engineering helped a hacker gain access to a user’s bank account.
Between 2016 and now, the law enforcement agency has seen several cases where several kinds of vulnerabilities in multi-factor authentication systems were exploited using web URL (address) tampering and phishing attacks.
While the immediate recommendation is for users to be more careful when using the internet, the advisory notice provided two specific recommendations to businesses:
# 1 | Training users
The FBI recommended that businesses train staff and employees to identify and avoid phishing schemes and other kinds of simple online attacks they were exposed to via email and other social media platforms. Doing so will ensure that critical applications accessed via multi-factor authentication aren’t compromised in any way.
The FBI also suggested that employees, staff, and all users be given basic lessons on social engineering and taught tactics to avoid being manipulated in any way so as to compromise themselves, clients, or the business.
# 2 | Complex multi-factor authentication
Not all kinds of multi-factor authentication are the same because not all factors are equally complex to duplicate or forge.
Biometric data, for example, or behavioral authentication methods such as when a user normally logs in, from which location, and for how long, are all difficult to forge — or even pre-empt for hackers.
The FBI, in its notice to businesses, urges the use of complex multi-factor authentication solutions despite any inconvenience it may cause to users.