• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Do You Know Which Multi-Factor Authentication Methods are Insecure?

October 12, 2018 By The Editor

AuthPoint Screenshot Dashboard

Multi-factor authentication (MFA) methods have steadily increased in popularity as the security industry and the public have continued to recognize the weaknesses associated with passwords. But, did you know that not all MFA methods are equally secure? Most people think of MFA as receiving a one-time password (OTP) via an SMS text message. However, this method is actually no longer recommended by NIST because of how easy it is for an attacker to steal or intercept the SMS with the password.

Dark Reading recently published an article by WatchGuard’s Director of Authentication, Alexandre Cagnoni, that explains several different MFA methods and rates the security of each. Each method has strengths and weaknesses, so it’s important for businesses rolling out MFA solutions to be aware of exactly which method they’ll be using. For example, push-based authentication tokens offer a highly secure and usable way for users to authenticate using mobile phones, but require a data connection. If users need to regularly log in from places that lack a data connection, consider a QR code-based token method instead.

Here’s an excerpt from Alex’s article where he explains how push-based authentication works in more detail:

Unlike SMS, the push message won’t carry the OTP. Instead, it will carry an encrypted message that can be opened only by the specific app on the user’s phone. So, the user will have contextual information to decide if the login attempt in question is genuine, and then can quickly approve or deny the authentication. If approved, a unique OTP should be generated internally by the token on the user’s phone and sent back with the approval to verify it. Not all MFA solutions do this, which increases the risk of a push approval message being mimicked or spoofed.

To make multi-factor authentication available to companies of all shapes and sizes, WatchGuard offers AuthPoint, a fully cloud-based MFA solution. Unlike on-premise MFA solutions that require considerable upfront expense and a large staff to deploy and manage, AuthPoint offers secure authentication services entirely through the cloud, for a few dollars per user per month.

Learn more about AuthPoint here and read more about digital authentication methods throughout history here on Secplicity.

Share This:

Related

Filed Under: Editorial Articles, Featured

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • The White House Tackles AI
  • What to Expect from NIS2

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Grading our 2023 Security Predictions
  • What to Expect from NIS2
  • Combined Cyber and Kinetic Warfare
  • The White House Tackles AI
  • The Threat Actor That Hacked MGM
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use