Lots of changes have happened to the way we use IT over recent years, but one that most people will remember is the need to use multifactor authentication (or MFA as it has become known) when logging in to IT systems. It certainly made logging on to your IT when starting work more time consuming, and because of that, many people resisted it. However, the overwhelming cyber security risk of not doing it meant firms were forced to adopt it.
However the world of cybercrime moves on at pace and what would have been considered secure is often no longer the case – and the same unfortunately applied with multifactor authentication or at least some earlier iterations of it. Some of the tactics used by cyber criminals to circumvent older versions of multifactor authentication are as follows:
Email based codes
This is when a code to access your application is sent to you via email. They are no longer commonly used as email accounts are frequently compromised themselves and be easily be sent to a device (such as a mobile phone) that is not secured.
Text based codes
Text-based codes were once the most common approach to having a second form of authentication but most systems are beginning to phase this out. As we have previously reported, text messages can be intercepted using common SIM cloning or hijacking techniques.
Codes on authenticator apps
This is still the most common form of multifactor authentication and relied on by many applications. However, the major technology companies such as Microsoft and Google, and providers holding highly secure information such as password managers are moving away from it. Cyber criminals can now easily intercept these codes using fake websites that look identical to genuine provider websites.
Tap to approve on authenticator apps
Your mobile phone based authenticator app ‘buzzes’ you and you must approve a message on the phone to grant access. This prevents the aforementioned phishing and code interception techniques and becomes more robust when combined with biometric authentication.
However, there have been cases of ‘brute force’ attacks where cyber criminals acquire the username and password for an account, usually by a phishing attack or compromised website, then repeatedly attempts to log in with it in the hope the phone owners get fed up with ‘tap to approve’ messages and accepts them, letting the criminal in.
Number matching
This is the latest standard in use by Microsoft. You receive a ‘tap to approve’ message on your authenticator phone app which then generates a code which you will need to enter directly into the app you are accessing on your computer. This prevents the issue with brute force attacks and is considered by Microsoft to be secure enough to replace the use of passwords entirely. If you are a Pro Drive client then you will likely have been automatically upgraded to this standard for your Microsoft access.
What else can you do?
Multifactor authentication is still crucially important – and you should ensure you are using the latest version that your applications allows. However there are some other approaches you can use to improve the security of your cloud applications. These include:
Single Sign-on
This is where you use your Microsoft (or another providers) login to access your business application. This can be useful if the application does not offer multifactor authentication itself, or it uses an outdated form of it. By switching to logging on with your Microsoft login you will benefit from the latest multifactor authentication security and save time by having one less login to use and remember.
Access lockdown
This is where you restrict access to your application to either certain locations, devices or IP addresses. Pro Drive clients will likely have this in place for their Microsoft 365, but it is good practice to put it in place for any other systems holding confidential or sensitive data where it is offered as an option. IP address lockdown is the most powerful as it allows access to be prevented from outside of your office or from specifically enabled remote workers.
To enhance the security of your applications, contact us at 0330 124 3599 for a comprehensive cyber security assessment.