Our Blog
The latest news about Internet security and privacy.
How 2FA and MFA Work to Protect You
Posted by BulletVPN on 17 05 2020.
The World Wide Web keeps on evolving and so does cybercrime. In today’s internet, securing your accounts and everything you do online is very important. However, your password may not be enough anymore. That’s why enabling either Two-factor authentication or Multi-factor authentication has become a crucial factor. They add another layer of security if your password has been stolen. That also applies to when you’re using the same password for multiple websites. Unfortunately, a lot of users don’t implement it, including 90% of Gmail users, which is why we came up with this guide. In order to raise security awareness, here’s how 2FA and MFA can protect you.
2FA and MFA – A Quick Intro
Complex passwords or passphrases are a very secure method to protect access to digital assets. However, they will be vulnerable to hacking as long as users stick to passwords of the kind of “qwerty” or “password123”.
If you have a password that is a combination of 12 small letters (a-z), capital letters (A-Z) and numbers (0-9), a hacker would need some 200 years to crack your passcode.
| Password Length | Time to Crack | With Special Character |
| 9 characters | 2 minutes | 2 hours |
| 10 characters | 2 hours | 1 week |
| 11 characters | 6 days | 2 years |
| 12 characters | 1 year | 200 years |
| 13 characters | 64 years | — |
As you can see, the problem is not that cracking a password is easy. It’s that users still select weak passwords or have sticky notes with their passwords next to their computer.
Hence, the need for a second factor that authenticates who “the user that has valid permissions to access a digital asset or online service” is. We call it two-factor authentication, or 2FA, as opposed to single user authentication. It’s where you use only one factor to grant access to the required resource.
As security requirements evolve, some systems and organizations started implementing more than two factors as protection, and now we have multiple systems and services that employ three or more factors for authentication – a method known as multi-factor authentication, or MFA.
How 2FA and MFA Work
If you have adopted a point-to-point VPN (Virtual Private Network) to connect endpoints within your corporate network, you also need to make sure only authenticated users are connecting to your VPN and access various resources from there.
Using a username and password is one method that is relatively secure when the user is behind your corporate firewall and connects to a remote office where another firewall filters the traffic and connection requests.
But there is a growing number of scenarios where your employees connect from remote home-office locations or through a mobile device on which no added protections such as a firewall are installed.
In this case, a working method is to verify one’s identity and authenticate the connection request by adding one or more additional factors beyond a username and password.
The Factors
These factors work for both 2FA and MFA implementations and include:
- Knowledge pertains to information only the specific user is supposed to know, such as a password, answer to a security question, PIN code, or any other info.
- Possession is a factor that refers to something the user physically possesses e.g., a phone to which you can send a verification SMS. Hardware and software tokens also fail in this category.
- Inherence or biometrics is an authentication factor that refers to unique user characteristics such as fingerprints, facial recognition, iris, and retina scans, voice recognition, and any other biometric characteristics.
- Implicit factors include characteristics such as user/device location, device, and operating system versions, and any other factor that does not explicitly confirms user identity but adds a further layer of protection.
Both 2FA and MFA protections rely on these four groups of factors to authenticate the user. Evidently, you can use as many factors as you deem appropriate to make sure that only authorized users get online or physical access to your properties.
2FA vs. MFA Comparison
In theory, 2FA is considered a multi-factor method for authenticating connections. But the main issue with 2FA is that most such services operate by sending an SMS or an email message to a user device upon receiving a request for logging in.
Types of 2FA in Wide Use in the United States
Source: Statista
Modern hackers can easily catch and replace such a message/SMS with a fake one. As a result, they circumvent 2FA once they have cracked a user password, which is the first factor.
Many such attacks have been reported in the past few years, and multiple phishing attacks aim at tricking users into connecting to a fake site that features 2FA. In each case, the hackers use methods either to get the confirmation message while in transit or to lure the user into entering the code into the fake website.
Returning to the above use case for a VPN connection with 2FA protection, you can avoid such a scenario by introducing an additional authentication factor. If your employees connect from home or field locations, you can ask for a fingerprint or check the specific device address known as the MAC address.
With the fingerprint, you authenticate the specific person who is requesting a connection to your network. On the other hand, by using the MAC address as a factor, you authenticate the device. Sure, you can ask for both a legitimate MAC address and an approved fingerprint, which will result in four-factor authentication with the 4FA involving a username with a password, an electronic confirmation message, a fingerprint, and then a device MAC address.
A combination of four factors like these is not impenetrable, but cracking such cyber-security protection requires very, very devoted bad actors who have access to virtually limitless resources.
Adaptive MFA Systems
Since bad actors with unlimited resources really exist, the modern cyber-security industry is introducing adaptive MFA systems. These systems are asking for different authentication factors depending on a number of conditions.
For instance, such a system will be able to recognize when an employee (a device) is connecting from a secure perimeter inside your premises. It also can identify when the connection request is coming from outside the office e.g., from a home office. Depending on the circumstances, the one and the same employee will be asked to enter a valid username with a password in the first case, or he/she will need to provide one more proof of identity in the second scenario.
Adaptive multi-factor authentication in practice recognizes trusted and untrusted locations, or other conditions, and selects a proper level of authentication depending on the specific case.
Who Supports 2FA?
A lot of Gmail users enable 2FA, and they receive an access code via SMS. This makes Google one of the companies that apply the technology. However, Google isn’t the only one that uses 2FA. The following list some of the popular companies that implement 2FA:
- Apple iCloud
- Backblaze
- Dropbox
- PCloud
- Avanza (Banking)
- Hangouts
- Skype
- Slack
- Telegram
- Zoom
- Binance
- BitBay
- Google Play
- Twitch
- Youtube
- Snapchat
- Tumblr
You can find the full list if you follow the link above. There’s one more thing we have to note. 2FA has a long way to go as too many companies are yet to apply the technology.
Even big media channels who have millions of subscribers still don’t use 2FA. We’re talking about the likes of Netflix, Hulu, Disney+, Pandora, and Spotify.
Concluding Words
MFA and 2FA are not a substitute for cyber-security tools. We’re referring to the likes of firewalls, VPN software, antivirus suites, and intrusion detection systems. Both 2FA and NFA are methods to guarantee that a user who connects to your systems and networks is the same person to which access permissions are granted i.e., you have a legitimate connection.
The adoption of an MFA strategy follows quite a simple logic. However, the implementation is costly in terms of hardware and/or software resources involved. It limits the use of wide-reaching MFA implementations to large and multinational corporations while the adoption of 2FA methods for authenticating users is largely affordable for most medium-sized businesses and even small companies.
What you need to keep in mind is that the most affordable and widespread method used as a second factor in 2FA implementations, an electronic message with a code being sent to the user, is also the less secure. Consider using another second factor as a tool for authenticating your users unless you have a very secure channel to send and receive authentication messages.