Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Stay ahead of attacks with 24/7 protection and monitoring.
Maximize uptime with with industry-leading DRaaS.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Leverage your technology as a strategic asset.
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Posts
By: Stephen Jones
Table of content
With a seemingly unending list of high-profile data breaches in recent news, many organizations are reevaluating their security posture and seeking additional protection. In times like this, reexamining the fundamentals of your security posture is just as important as adopting new developments in the industry. Today, we want to discuss one of the most important of those fundamentals: two-factor authentication (2FA).
Adding a 2FA method to your user authentication system is a highly recommended method to prevent unauthorized access. To summarize from our previous article on multi-factor authentication (MFA), 2FA is a sign-in system which requires users to provide one additional proof of identity besides their password with the goal of preventing malicious hackers from authenticating into your network.
Common secondary authentication factors used in addition to your password for 2FA include the following:
On the surface, each of these methods may seem like a great way to increase security with minimum disruption to user productivity. However, several of these methods come with significant flaws which make them “better than nothing” but far from the most secure and reliable option available. In this article, we will examine the advantages and problems with each method to determine which are the best options for businesses to rely on.
Using the phone call method, or “proof of life” as I like to call it, is better than not using 2FA at all, but can create a dangerous set of circumstances that allows a legitimate user to unknowingly allow an attacker to access their account. In fact, the phone call method has at least two major vulnerabilities which even an amateur cyber-attacker can use to trick you into letting them access your account.
This method generally consists of the following steps:
The process described above for phone call 2FA may sound secure enough- after all, how can a hacker get into your account without access to your phone? But it gets more complicated as you access different apps and resources using this method throughout the day, different sessions periodically time out, and you have to continually use the phone call method to sign back in. Many users get accustomed to the routine, and the phone call method offers no context in terms of which application or session you are approving when you answer the call. Did the session for your work email on your mobile expire? Was it the chat app session on your laptop? If you aren’t paying close attention, isn’t always clear, making it easy to accidentally approve an access request coming from a malicious third party.
Unfortunately, threat actors know about this weakness and have learned how to abuse the system to trick you into letting them in. The attack is a remarkably simple and low effort with a potential for high yield. If the attacker has your username and password –which can be obtained from successful phishing campaigns, credential leaks from other compromised companies, or dictionary attacks – they can complete the first part of authentication and get to the 2FA prompt. Now you get a phone call, the same phone call you get multiple times per week or even per day. Maybe you are careful and realize what is going on in time, or maybe you are distracted or in a rush and press the button, letting the attacker into your account.
The type of attack described above works especially well when the attacker has the foresight to time it correctly, so the call happens during your normal business hours when you expect to receive it. A determined attacker can also attempt authentication repeatedly to keep sending you the phone call in hopes that you will answer the call to make it stop.
Remember when we mentioned there were two major vulnerabilities within the phone call method? The second is actually a shared vulnerability which applies to both phone call and SMS/text message 2FA methods. In addition to tricking you into approving their authentication attempt via phone call, more sophisticated attackers can actually hijack the phone call or text message itself. This requires the attacker to either clone your phone’s SIM card or compromise a virtual phone number provider like Google Voice to get access to the incoming 2FA call/text message. These options are both significantly higher-effort on the part of the attacker than the phone exploit vulnerability described above, but still present a real threat to the integrity of your accounts.
Authenticator apps and hardware tokens are generally considered to be the most secure options available. By requiring you to input the PIN or code into a box and click Submit, these methods have the ability to provide context behind the authentication attempt, drastically reducing an attacker’s ability to game the system by tricking you into approving a malicious authentication attempt. It may seem simple, but the added context and security makes authenticator apps a significantly less attractive target.
At Dataprise, we recommend that our customers disable the phone call and SMS 2FA methods in favor of authenticator apps and tokens whenever possible. If extenuating circumstances render phone call and SMS the only 2FA methods available, we highly recommend educating users to ensure users to understand the risks, the attack vectors, and the vulnerabilities they are exposed to. Encourage your employees to self-report suspicious or ill-timed 2FA challenge calls or text messages to your security organization, especially when they happen after hours.
Using a password management app to store and manage your passwords, using different passwords for every application/account, and following password complexity best practices also helps to reduce the likelihood of compromise. For more information on how to protect your organization against cyber attackers, continue reading our blog or contact our Managed Cybersecurity team.
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.