Password security has been an issue for businesses since the first employee password was needed to gain access to a system. Companies may train employees on good password practices, but in reality, passwords are often not as secure as they should be.

A big reason for this is that users have so many to remember that they often resort to reusing passwords across several accounts and using easily hacked passwords.

For example, 51% of people use the same passwords between personal and work accounts. The average password is used to access about five accounts. The use of weak passwords is also a big problem, with roughly 25% of Americans admitting to using a simple password, such as “123456.”

One way that companies have tried to address the IT security problem with users having weak passwords is to implement multi-factor authentication (MFA). This can significantly increase the strength of your account security by putting another barrier up that is much more difficult for hackers to get past.

How MFA Works

Typically, hackers will guess, steal, or crack a username and password combination to get into an account. They can do it from halfway across the world and it’s very hard to track.

When accounts are protected with multi-factor authentication, the user also must enter a unique, time-sensitive code that is sent to a specific device in their possession. This makes it significantly more difficult for someone halfway across the world to gain access to the account because they don’t possess the device that receives the code.

But MFA is not infallible. For example, a security vulnerability discovered in September of 2019 named Simjacker, is malware that can clone a phone’s SIM card.

Simjacker is delivered via a malicious SMS that can infect a device with spyware once opened. This code then can send SIM card data to the attacker’s device.

Once a SIM card is cloned, the hacker can gain access to all the mobile number’s calls and SMS messages.

How Security for the Different Types of MFA Compares

When you are enabling MFA for a cloud login on an app or website, there are generally three standard methods you can use. The way these differ is in how you receive the MFA code that is input to complete the login.

  1. SMS: The most common method is to receive the code via SMS to a designated mobile number that was added during setup.
  2. Authentication app/on-device prompt: Another way you can receive the MFA code is through an authentication app, such as Google Authenticator.
  3. Security Key: One method that isn’t quite as common as the first two is a security key. This is a device that is inserted into a computer or mobile device that authenticates the MFA code.

While all forms of MFA can make a significant difference in your account security, there is a slight difference in the security level of each one.

SMS (Text Message)

According to a Google study, receiving the MFA code via SMS is between 76% - 100% effective, depending upon the type of account attack.

One of the security vulnerabilities with receiving your multi-factor authentication code via text is the problem with a potential SIM card cloning. If your SIM card has been cloned, then the hacker has access to all your text messages and could pair that with a password hack to gain access to your accounts.

An advantage of using SMS is that it’s the most user-friendly of the three methods and the most commonly used when you initially set up MFA for a login.

Authentication App (On-device Prompt)

Using an on-device prompt via an authentication app on your computer or smartphone is a slightly more secure way to get your MFA code. A cloned SIM card isn’t going to expose the code when you try to sign in since it’s not coming in by SMS.

The Google study found that this method was between 90% - 100% effective at stopping fraudulent sign-in attempts.

Besides being more secure than SMS, using an authentication app is also fairly user-friendly.

Security Key

The third method is using a security key, which is a physical device that is usually the size of a USB drive or slightly smaller. This device is plugged into your computer or mobile device and authenticates your MFA code for you.

This method was 100% effective against all the attack types that the Google study reviewed, which included:

  • Automated bot attack
  • Bulk phishing attack
  • Targeted attack

These keys are purchased through a vendor like Yubico (YubiKey) or Thetis (Fido U2F).

One drawback of this method is that users need to keep track of the small security key device to authenticate their logins. If lost, they may have to jump through a few hoops to get another key and may have a delay getting logged in during that process.

How Strong Is Your Password Security?

Onsite Techs of Rhode Island can help your business with convenient solutions to improve password and account security.

Contact us today to schedule a consultation at 401-773-7766 or reach out online.