Magazine articles

Protect Yourself With Multi-Factor Authentication – Bitcoin Magazine

August 13, 2023
Linda W. Vargas

This is an opinion editorial by Heidi Porter, an entrepreneur with 35 years in technology.

User security

In previous security and data breach articles, we’ve discussed the need for multi-factor authentication (MFA) on your Bitcoin accounts and any other accounts you want to protect.

Hacks will continue to happen when your account is compromised or people are sent to a malicious site and accidentally download malware instead of verified software.

This will be the first in a series of articles on more resilient user security for your accounts, nodes, and applications. We’ll also cover better email options, better passwords, and better using a Virtual Private Network (VPN).

The reality is that you will never be completely secure in any of your online financial transactions in any system. However, you can implement a more resilient set of tools and best practices for stronger security.

What is multi-factor authentication and why should I care?

(Source)

According to the Cybersecurity and Infrastructure Security Agency, “Multi-factor authentication is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify the identity of a user. ‘one user for connection’.

When we log into an online account, we often seek to thwart an attacker or hacker by using additional layers of verification – or locks.

Compared to your own home, multiple locks provide more security. If one form of authentication is good, like a password, then two forms (aka MFA) may be better.

Note that biometric authentication is single factor authentication. It’s just the biometrics of the modality you’re using: thumb, iris, face recognition, etc. If you use a hardware key without a passphrase, this is also single-factor authentication.

Where should I use MFA and what type of MFA?

With MFA, you must have at least two authentication mechanisms.

At a minimum, you must have MFA configured for your:

  • Bitcoin exchanges (but get your funds back as soon as possible after purchase).
  • Bitcoin nodes and miners.
  • Bitcoin and Lightning wallets.
  • Lightning apps, such as RTL or Thunderhub.
  • Cloud providers, such as Voltage accounts.

Note: Each account or app must support the type of MFA you use, and you must register the MFA with the account or app.

MFA providers often include less secure options such as:

  • SMS text messaging.
  • One-time password.
  • Push-based mobile authentication (more secure if managed properly).

MFA providers sometimes also include more secure options such as:

  • Authentication apps.
  • Hardware keys.
  • Smartcard.

Guess what type of MFA most traditional financial institutions use? This is generally one of the less secure MFA options. That said, not all authenticator apps and hardware keys for MFA are created equal.

MFA and marketing misinformation

Let’s first talk about AMF marketing. If your MFA provider is bragging about being 99% or hack-proof, they’re giving multi-factor BS and you should find another provider. All MFAs are hackable. The goal is to have a less hackable, more phishing resistant and more resilient MFA.

Registering a telephone number makes the AMF vulnerable to SIM card swapping. If your MFA does not have a good backup mechanism, this MFA option is vulnerable to loss.

Some MFAs are more hackable.

Some MFAs are more traceable.

Some MFAs can more or less be backed up.

Some MFAs are more or less accessible in certain environments.

MFA less hackable and traceable

Multi-factor authentication is most secure with an authenticator app, smart card, or hardware key, like a Yubikey.

So whether you have app-based or hardware-based MFA, that’s fine, right? Well no. Even if you use app-based or hardware-based MFA, not all authenticator apps and hardware devices are created equal. Let’s take a look at some of the most popular authenticator apps and some of their tracking, hacking, and backup vulnerabilities.

  • Twilio Authy needs your phone number, which could open you up to compromise via SIM card swapping. The initial configuration is SMS.
  • Microsoft Authenticator does not require a phone number, but cannot be transferred to Android as it is backed up to iCloud.
  • Google Authenticator also doesn’t require a phone number, but has no online backup and can only transfer from phone to phone.

Additionally, all of these apps are considered by some to be less resilient and open to phishing or man-in-the-middle (MITM) attacks.

How your accounts and finances can be compromised

“People should use phishing-resistant MFA whenever they can to protect valuable data and systems” – Roger A. Grimes, cybersecurity expert and author of “Hacking Multifactor Authentication”

Just like many financial and data companies, Bitcoin companies have been the target of multiple data breaches where attackers obtained customer email addresses and phone numbers.

Even without these breaches, it’s not particularly difficult to find someone’s email addresses and phone numbers (as mentioned in previous articles, the best practice is to use an email and phone number). separate phones for your bitcoin accounts).

With these emails, attackers can perform phishing attacks and intercept login credentials: both the password and the multi-factor authentication you used as the second authentication factor for one of your accounts .

Let’s take a look at a typical MITM phishing attack process:

  1. You click on a link (or scan a QR code) and you’re taken to a site that looks a lot like the legitimate site you want to access.
  2. You enter your login credentials, then you are prompted for your MFA code, which you enter.
  3. The attacker then captures the access session token for successful authentication on the legitimate site. You might even be directed to the valid site and never know you were hacked (note that the session token is usually only valid for that session).
  4. The attacker then has access to your account.

By the way, make sure MFA is attached to withdrawals to a wallet or exchange. Comfort is the enemy of safety.

Phishing Resistant MFA

To resist phishing, your MFA must be an Authenticator Assurance Level 3 (AAL3) solution. AAL3 introduces several new requirements beyond AAL2, the most important being the use of a hardware authenticator. Several additional authentication features are required:

  • Resistance to verifier impersonation.
  • The verifier compromises the resistance.
  • Authentication intent.

Fast Identity Online 2 (FIDO2) and FIDO U2F are AAL3 solutions. Getting into the details of the different FIDO standards is beyond the scope of this article, but you can read a bit about them in “Your Complete Guide to FIDO, FIDO2, and WebAuthn”. Roger Grimes recommended the following AAL3 level MFA providers in March 2023 in his LinkedIn article “My list of good solid MFAs”.

MFA hardware keys and smart cards

Hardware keys, like Yubikey, are less hackable forms of MFA. Instead of a generated code that you enter, you press a button on your hardware key to authenticate. The hardware key has a unique code which is used to generate codes to confirm your identity as a second authentication factor.

There are two caveats for hardware keys:

  • Your application must support hardware keys.
  • You can lose or damage your hardware key. Many services allow you to configure multiple hardware keys. If you lose use of it, you can use the spare part.

Smart cards are another form of MFA with similar phishing resistance. We won’t go into detail here as they seem to be less likely to be used for Bitcoin or Lightning-related MFA.

Mobile: Tight spaces require hardware devices

Another consideration for multi-factor authentication is whether you would ever be in a situation where you need MFA and can’t use a cellphone or smartphone.

There are two big reasons why this could happen for Bitcoin users:

  • Low or no cell coverage
  • You do not have or cannot use a smartphone

There may be other restrictions on cell phone use due to customer-facing work environments or personal preferences. Call centers, K-12 schools, or high-security environments like research and development labs are areas where phones are restricted and therefore you won’t be able to use your phone authenticator app.

In those special cases where you use a computer and don’t have a smartphone, then you will need a smart card or hardware key for MFA. You would also need your application to support these hardware options.

Also, if you can’t use your cell phone at work, how are you supposed to stack the sats in the restroom on your break?

Towards a more resilient MFA

MFA can be hacked and your accounts can be compromised. However, you can better protect yourself with a more resilient, phishing-resistant MFA. You can also choose an MFA that is not tied to your phone number and has an adequate backup mechanism or the ability to have a spare key.

Continuous defense against cyberattacks is a continuous game of cat and mouse or molestation. Your goal should be to become less hackable and less trackable.

Additional Resources:

This is a guest post by Heidi Porter. The opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc. or Bitcoin Magazine.