Welcome to ThatThirdPartyGuy.com – my website highlighting my journey in third party cyber-security.

Is All MFA the Same?


23 September 2022

MFA or Multi-Factor Authentication (MFA) has become the standard for protecting high-value access.  This is especially true in the case of privileged accounts, remote access (made more popular in recent years), and pretty much any account that handles your important assets such as banking, insurance, and medical websites or phone apps. 

What is MFA? 

A brief refresher: identity and access processes rely on answering essentially three questions – who are you (Identify yourself), prove it (authentication), and what do you have access to (authorization to do x, y, or z).  Multi-Factor or MFA strengthens the process of authenticating who you say you are by providing additional assurance that you are indeed the identity you claim to be.

NIST (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) defines the factors for MFA: “Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric)”  Microsoft agrees with that, further simplifying https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661  “Something you know – Like a password, or a memorized PIN; Something you have – Like a smartphone, or a secure USB key; Something you are – Like a fingerprint, or facial recognition”

The UK minimum standard states that highly-privileged accounts must have MFA.  https://www.gov.uk/government/publications/the-minimum-cyber-security-standard/the-minimum-cyber-security-standard

This UK Wireless Network Standard adds “..for technical support staff” indicating they could be a vulnerable set of users and often have additional privileges.  https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/wireless-network-standards-for-schools-and-colleges

Ok, But I Use MFA

Did you catch that part from Microsoft about the smartphone being a factor?  That’s been a point of contention in the cybersecurity world because phones are not designed to be a security device.  Yet, they are ubiquitous, convenient and technically, “something you have”.  The problem with using a non-security device as a security device is that you may have it, but somebody else may also have it.  Or gain access to it even if you don’t let it out of your control through cloning or porting etc.  

So What?

That’s what is so nerve wracking whenever a telephone provider gets breached and loses control of data.  It appears there are concerted attacks against at least one telco – Singtel.  They’ve had a string of big data breaches losing personally identifiable information for at least 129,000 people in Feb 2021 (https://www.singtel.com/about-us/media-centre/news-releases/singtel-addresses-data-breach-moves-to-support-affected-stakeholders) and more recently, there was another attack to one of their subsidiaries, Optus, that reportedly lost records of 2.8 million or more users. 

What could an attacker do with that information?  Any information about a target is useful to an attacker, but in this case they may be able to put it together with other information and use it to reset your information or they may try to port your number to a new device so they can then use it to mount an attack against your MFA protected accounts.  There are certainly other ways to use the data but let’s not make it too easy. 

Be careful to choose a MFA method appropriate for your risk.  If you rely on your phone (a non-security device) for a call/text back or some other vulnerable method to protect your accounts, you could be in for a nasty surprise.  There are several freely available authentication apps out there from Google, Microsoft, Symantec and others that can help you increase your authentication protection for your more sensitive and privileged accounts.