Tag Archives: MFA

Multifactor Authentication Demystified

Multifactor Authentication Demystified

Multifactor authentication (MFA) is an essential security measure that adds another layer of protection to user accounts and systems. There are several methods used for MFA, including SMS, push notifications, phone apps, and hardware tokens. Each of these methods has its own set of pros and cons. However, hardware tokens offer distinct security benefits over the other options.

SMS-based MFA involves sending a one-time password (OTP) to a user’s mobile phone. One advantage of this method is its simplicity and widespread availability, as most people have mobile phones capable of receiving text messages. However, SMS-based MFA has drawbacks. It relies on the security of the mobile network and can be vulnerable to SIM swapping attacks or interception of SMS messages.

Push notifications leverage smartphone applications to deliver authentication prompts. This method offers convenience, as users can simply tap a button on their device to approve or deny access. Push notifications are generally more secure than SMS, as they are not reliant on the phone number or SMS infrastructure. However, they may be susceptible to device compromise, such as malware or phishing attacks. As with SMS, push notifications can become subject to abuse as a result of malicious actors sending an SMS or push notification storm. That would lead to notification fatigue, and it would only take a single mistake, tapping OK instead of Deny, for a malicious actor obtaining access to the account.

Phone apps, such as authenticator apps, generate OTPs that are time-based and tied to a specific user account. They provide a higher level of security compared to SMS or push notifications, as they are not susceptible to interception. However, phone apps still rely on the security of the user’s smartphone. If the device is lost, stolen, or compromised, the security of the MFA method may be compromised as well.

Hardware tokens are physical devices, often in the form of a key fob or a smart card, that generate OTPs or have built-in cryptographic capabilities. Hardware tokens offer the highest level of security among the mentioned options. They are not dependent on the security of a mobile phone or computer, making them immune to malware or phishing attacks targeting these devices. Additionally, hardware tokens are typically resistant to tampering or cloning attempts, providing a high level of assurance. However, hardware tokens can be more costly to deploy and manage compared to other methods.

In summary, while each MFA method has its own advantages and disadvantages, hardware tokens offer distinct security benefits. They provide an extra layer of protection by removing reliance on potentially compromised devices and are resistant to various attack vectors. However, the choice of MFA method should consider factors such as cost, user convenience, and the specific security requirements of the system being protected.

Kind regards

Ever Expanding Defence Perimeter

Even though companies would like to have employees return to the office after the pandemic, the norm of working-from-home or even working-from-anywhere is here to stay. This means that uncontrolled connectivity options are resulting in increasing attack-surfaces where home routers, public Wi-Fi spots, shared personal hotspots and more, are causing headaches for many businesses to secure their end-points.

Many very good end-point security solutions like Crowdstrike, Microsoft and SentinelOne provide an active method of securing endpoints with state-of-the-art software which provide an excellent overview of your overall security state for those end-points.

Continue reading

Reducing MFA/2FA requests on cloud apps


Third party authentication and authorisation providers like okta, azure, gcs or aws often have a trusted connection to the tenants. This sometimes allows that authentication requests via MFA/2FA options can be bypassed as the authentication has already occured from inside the tennants network.
When employees work from remote locations they can set up a VPN to their companies network in one of two modes.

  • Full Tunnel – this causes ALL traffic to travers the VPN to the companies network and then is propagated to their internal server or via firewalls and proxies to the internet.
  • Split Tunnel – Only traffic destined for the subnet routes that get pushed from the vpn server will traverse the vpn tunnel.

The full tunnel setup may be helpful if you only work with systems inside your corporate network. Given the fact vast amount of application are now published in some obscure place called “The Cloud” you basically have no clue where it resides.

I’ve created a script pushed to github (over here) that creates specific routes based on your settings that may result in a reduction on your MFA/2FA requests to be validated.

Have a look at the “README” for more info.