Multifactor Authentication: Still the Best Defense Against Account Takeovers
Introduction
Account takeovers remain one of the most pressing cybersecurity threats facing individuals and organizations today. As cybercriminals become more sophisticated in their methods, relying solely on static login credentials like usernames and passwords is no longer enough to keep accounts secure. This is where multifactor authentication comes in – by requiring users to present two or more pieces of evidence to prove their identity, it acts as an essential extra layer of defense against unauthorized logins.
In this article, I will examine why multifactor authentication is still the most effective solution to combat account takeovers, despite the emergence of more advanced biometric techniques like fingerprint scanning and facial recognition. I will also outline the different types of multifactor authentication and provide guidance on implementation. My goal is to demonstrate that this technology, though not new, remains the best practice for thwarting account takeovers when applied properly.
The Ongoing Threat of Account Takeovers
Account takeovers have become one of the most common threats in the digital era. A 2022 report found that account takeovers increased by 74% year-over-year, with over 20 billion attacks detected in just the first half of 2022. This uptrend is being driven by several key factors:
-
The explosion of online accounts: As digital services continue to proliferate, the average person now has over 100 online accounts, providing a wealth of targets for attackers.
-
Credential stuffing: Cybercriminals are automating account takeover attempts using huge dictionaries of breached credentials. This allows them to exploit password reuse at scale.
-
Social engineering: Through phishing and smishing (SMS phishing), attackers trick users into surrendering their login credentials voluntarily.
The impact of successful account takeovers can be severe, ranging from financial theft, to loss of sensitive personal data, to reputational damage. For organizations in particular, a brand’s customers expect their accounts to be secure – data breaches caused by account takeovers can violate that trust and affect the bottom line.
Given the rising frequency and high stakes of this threat, relying solely on static login credentials is no longer prudent cybersecurity practice. More advanced defenses like multifactor authentication (MFA) are needed.
The Principle Behind Multifactor Authentication
Multifactor authentication is based on a simple, yet powerful principle: requiring users to present two or more independent credentials to authenticate, rather than just one factor like a password. This adheres to the guidance that true security stems from layered defenses.
Specifically, multifactor authentication solutions require users to combine:
-
Something you know, like a password or PIN. This covers the static login credential.
-
Something you have, like a one-time code from an authentication app or a hardware token. This covers the dynamic, second factor.
By necessitating two factors rather than one, MFA protects against a wider variety of threat scenarios:
-
If a password is compromised in a breach, the account still cannot be accessed without also stealing the user’s physical second factor.
-
If a user’s credentials are phished or guessed, the attacker still cannot login without obtaining the dynamically generated one-time code.
-
Even if malware is present on the user’s device, the account remains secure as long as the second factor remains out of reach of the malware.
Attacks that rely on stealing static credentials like passwords universally fail when MFA is active. This mechanism aligns with the cybersecurity best practice of defense in depth – forcing attackers to overcome multiple, different barriers to achieve their objectives.
MFA Options: TOTP, Push Authentication, Biometrics, and More
While all multifactor authentication solutions follow the two-factor principle, there are numerous options for what those factors actually are. Organizations looking to implement MFA should understand the major types available:
Time-Based One-Time Password Algorithms (TOTP)
TOTP apps like Google Authenticator and Authy generate codes that refresh every 30 seconds. Users just check the app and enter the current code when prompted. TOTP is one of the most ubiquitous and easy-to-use MFA methods.
Pros: Very convenient for users; apps available on all devices.
Cons: Requires the user to have constant access to their mobile device.
Push Authentication
With push auth, users consent to an MFA check on their mobile device using a simple tap or click, rather than entering a code. Push is user-friendly but requires integration with a mobile app.
Pros: Extremely seamless user experience.
Cons: Requires developing a custom mobile app.
Hardware Tokens
Hardware tokens are dedicated physical devices that generate one-time codes for MFA. They offer security advantages but can have high costs.
Pros: Tokens are impossible to replicate. No need for smartphones.
Cons: Expensive to purchase and distribute; tokens can be lost.
Biometrics
Biometric techniques like fingerprint, facial, or retina scanning eliminate codes and tokens entirely, using unique biological data for authentication. Biometrics remain rare in MFA currently though due to tech limitations.
Pros: Very user-friendly; users can’t lose their biometrics.
Cons: Spoofing biometrics is possible; tech is still maturing.
SMS/Phone Call Codes
Codes can also be delivered directly via automated phone calls or SMS texts. Avoid relying solely on SMS though, due to SIM swapping risks.
Pros: No need for smartphones or tokens.
Cons: SMS texts can be intercepted; phone calls can be disrupted.
The optimal MFA method depends on each organization’s specific user base, resources, threat model, and other factors. But using any MFA is vastly preferable to relying on passwords alone in 2022.
MFA Adoption Remains the Top Priority
Despite the proven benefits of multifactor authentication, adoption still remains low overall. Surveys suggest only around 50% of users currently rely on MFA for their online accounts. But for securing against account takeovers, raising MFA usage is by far the most impactful strategy.
For individuals, MFA should be enabled everywhere it is offered – especially for important accounts like email, banking, and social media. The minor inconvenience of MFA is outweighed exponentially by its ability to protect accounts.
For organizations, rolling out MFA across the employee base and customer accounts should be a top cybersecurity initiative. Prioritizing wide MFA adoption will prevent account takeovers more effectively than nearly any other security control.
MFA should also be required for all accounts with administrative privileges, as those carry the highest risk. Overall, maximizing MFA usage directly translates to minimizing account takeover susceptibility.
Advanced Authentication Methods Are Not Silver Bullets
In light of MFA’s stellar security against account takeovers, why hasn’t it rendered all other authentication techniques obsolete? The reality is that while MFA remains the benchmark, no single cybersecurity solution is a silver bullet.
Alternative authentication proposals like biometric scanning or hardware-secured keys certainly carry advantages. Fingerprint unlocking can offer quicker logins for mobile devices. Cryptographic security keys provide protection against sophisticated phishing.
However, these emerging technologies also have substantial drawbacks currently:
- Biometrics remain vulnerable to spoofing attacks and lack maturity.
- Widespread adoption of hardware keys poses serious logistical challenges.
- Cost and accessibility barriers persist across newer methods.
MFA strikes the ideal balance of strong security with simple, scalable implementation. Organizations will integrate additional authentication factors over time. But for defending against account takeovers, broadly available MFA options are still optimal.
Rather than waiting for a revolution in authentication tech, the priority should be expanding MFA usage immediately using existing standards. MFA adoption remains the single most impactful step for safeguarding accounts.
Conclusion
As cyber threats like credential stuffing and social engineering drive massive surges in account takeover attempts, relying on passwords alone has become antiquated security practice. Multifactor authentication serves as the crucial extra layer of protection needed, requiring users to validate with an additional factor beyond just static login credentials.
MFA options like TOTP apps, push auth, biometrics, hardware tokens, and phone codes all uphold the two-factor principle, presenting varying advantages. But the urgent priority for both individuals and organizations is to roll out multifactor authentication widely, rather than waiting for a silver bullet authentication method. Maximizing MFA adoption using current standards remains the most effective defense against account takeovers for the foreseeable future. No other single cybersecurity measure can match MFA’s ability to protect accounts from unauthorized access.
