Is Your MFA Married to Passwords?

Ah, Multi-factor Authentication. MFA. Pronounced “em-eff-ayyyyy”

From the admin to the end-user, everybody loves MFA. Well, not entirely.

You know who really loves MFA? The password. So much so, that the two are practically married.

Chances are your company is already using MFA. You may think it solved your password problem, but do any of these sound like pain points?

  • Password resets
  • User account lockouts
  • Credential reuse
  • Login friction
  • MitM attacks
  • MFA bypass
  • Phishing

So much for solving the password problem.

Despite widespread MFA adoption, password problems are at an all-time high.

The fact is, MFA didn’t replace the password. It made a huge improvement in security posture, but most MFA methods are built on top of passwords. That means most MFA is just adding one shared secret on top of another shared secret.

As more companies try to eliminate the use of passwords they come to a stark realization: that their multi-factor security products have actually married them to the use of passwords, which are an awful security foundation.

A question they ask is, “How do we move away from passwords and ensure multi-factor security?”

The short answer is Passwordless MFA. You can just skip ahead to the part where you divorce the password.

If you prefer to read on, let’s look at three common authentication methods — OTP (one-time password), push, and SMS — and explore how each of these is just another iteration of a password.


One-Time Passwords (OTP)

One-Time Passwords (OTP) are a string of digits or a code that is generated on either hardware security tokens like a smart card or key fob, or as soft tokens, meaning mobile device apps that display the numbers. After a user has entered a username and password, they are prompted to input a valid OTP in an additional login field as proof of possession. If the OTPs match, the user can access the account or system.

OTP Password Based MFA Apps
OTP Password Based MFA Apps

How is an OTP like the password?

First, like the password, an OTP is based on the concept of a shared secret.

Second, it’s literally in the name: One-Time Password.

As the name suggests, OTPs can only be used one time and usually expire after 30-to-60 seconds. They’re certainly more secure than user-created passwords, which can be weak and/or reused across multiple accounts. However, they still rely on a user password.

OTPs are sometimes mistaken for “passwordless” authentication, but really, they’re just passwords in disguise (it’s in the name after all). They still require a password as well as a shared secret. Which means they’re still vulnerable and subject to a variety of attacks, such as MFA phishing, mobile malware, keyloggers or man-in-the-middle attacks.


SMS 2-Factor Authentication

SMS text messages are the most common OTP delivery method today. With SMS, OTPs are delivered to the user’s smartphone via text message, negating the need for a separate piece of hardware. As most people have a mobile phone of some kind, avoiding the cost of a hardware token has led many service providers to adopt SMS for large-scale consumer use.

But, similar to OTP, SMS relies on a user having a password and a shared secret, making it a less than ideal method of authentication. An OTP message could be delivered to the wrong mobile phone or your mobile phone could be stolen or compromised. SMS messages can be intercepted via SS7 network attacks, or mobile malware can be used to steal an automated SMS OTP.

In fact, the National Institute of Standards and Technology (NIST) stopped recommending the use of SMS as a strong second factor in July 2016. In the EU, German banks have already begun phasing out the use of SMS OTP.


Push Authentication

Push authentication is another mobile-centric authentication method whereby the service provider sends the user a notification to their mobile phone. The user then only has to tap the screen to get access to the account or system. Push authentication relies on the user having possession of mobile phone and the ability to unlock the phone, with a decentralized PIN or a biometric method such as a fingerprint or face recognition.

So, it must be passwordless, right?

PUSH authentication can be used as part of a passwordless system if the solution is built upon PKI or certificate-based authentication. But in most cases today, PUSH authentication is an MFA mode layered on top of additional shared secrets including (you guessed it) a password.

PUSH notifications have also been the subject of recent attacks, with malicious hackers targeting users who may unwittingly approve a dubious PUSH notification prompt for a transaction or login request. Learn more about PUSH Attacks.

In a recent report we found that 9% of survey respondents reported a rise in PUSH attacks since they moved to a remote workforce.


How to Divorce the Password

Companies are adopting a Passwordless approach to Multi-factor Authentication. Through what we call True Passwordless MFA, HYPR customers are able to combine several factors:

  • Something you are: your fingerprint, face scan, or other biometric recognition.
  • Something you have: your smartphone, which acts as a physical FIDO token, similar to a security key or smart card.
  • Something you know: a decentralized PIN that’s also stored safely on your device. 

Deploying True Passwordless MFA has allowed for 300% faster login speeds, a steep drop in fraud and phishing, and reduced friction across the user base.

By combining mobile-initiated login with a powerful FIDO-Certified architecture, the HYPR Cloud Platform is enabling IT leaders across the globe to ditch the password. The best part? It works with their existing IAM infrastructure, meaning there is no need to rip and replace what’s working for you. That makes the separation from passwords painless, less costly, and all the more amicable.