Protect yourself with multi-factor authentication – Bitcoin Magazine
This is an opinion editorial by Heidi Porter, an entrepreneur with 35 years in technology.
User security
In previous security and hacking articles, we discussed the need for multi-factor authentication (MFA) on your Bitcoin accounts and any other accounts you want to protect.
Hacks will continue to happen where your account is compromised or people are sent to a malicious website and accidentally download malware instead of verified software.
This will be the first in a series of articles on more robust user security for your accounts, nodes, and apps. We’ll also cover better email options, better passwords, and better use of a virtual private network (VPN).
The reality is that you will never be completely secure in any of your online financial transactions in any system. However, you can implement a more robust toolset and best practices for stronger security.
What is multi-factor authentication and why do I care?
(Source)
According to the Cybersecurity and Infrastructure Security Agency, “Multi-factor authentication is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login.”
When we log into an online account, we often aim to thwart an attacker or hacker by using extra layers of verification – or locks.
Compared to your own home, multiple locks provide more security. If one form of authentication is good, such as a password, two forms (aka MFA) may be better.
Note that biometric authentication is one-factor authentication. It’s just the biometric of whatever modality you’re using: thumb, iris, facial recognition, etc. If you’re using one hardware key without a passphrase, that’s also single-factor authentication.
Where should I use my MFA and what kind of MFA?
With MFA, you must have at least two authentication mechanisms.
At a minimum, you should have the MFA set up for:
- Bitcoin exchange (but get your money out of them ASAP after purchase).
- Bitcoin Nodes and Miners.
- Bitcoin and Lightning wallets.
- Lightning apps, such as RTL or Thunderhub.
- Cloud providers, such as voltage accounts.
Note: Each account or application must support the type of MFA you are using, and you must register MFA with the account or application.
MFA providers often include less secure options such as:
- SMS text messages.
- One-time password.
- Mobile push-based authentication (more secure if managed correctly).
MFA providers sometimes also include more secure options such as:
- Authentication apps.
- Hardware keys.
- Smart card.
Guess what type of MFA most legacy financial institutions use? It is usually one of the less secure MFA options. That said, not all authenticator apps and hardware keys for MFA are created equal.
MFA and marketing misinformation
First, let’s talk about the marketing of the MFA. If your MFA provider touts themselves as unhackable or 99% unhackable, they are spouting multi-factor BS and you should find another provider. All MFA is hackable. The goal is to have a less hackable, more phishing-resistant, more resilient MFA.
Registering a phone number makes MFA vulnerable to SIM switching. If your MFA does not have a good backup mechanism, that MFA option is vulnerable to loss.
Some MFAs are more hackable.
Some MFAs are more traceable.
Some MFA can be more or less backed up.
Some MFA are more or less available in some environments.
Less hackable and traceable MFA
Multi-factor authentication is more securely achieved with an authentication app, smart card or hardware key, such as a Yubikey.
So if you have an app-based or hardware MFA, you’re good, right? Well no. Even if you use app-based or hardware MFA, not all authentication apps and hardware devices are created equal. Let’s look at some of the most popular authentication apps and some of their tracking, hacking, and backup vulnerabilities.
- Twilio Authy requires your phone number, which can open you up to SIM swap compromises. The first setup is SMS.
- Microsoft Authenticator does not require a phone number, but cannot be transferred to Android as it is backed up to iCloud.
- Google Authenticator also does not require a phone number, but does not have online backup and can only be transferred from one phone to another.
Additionally, all of these apps are considered by some to be less resilient and open to phishing or man-in-the-middle (MITM) attacks.
How your accounts and finances can be compromised
“People should use phishing-resistant MFA whenever they can to protect valuable data and systems” – Roger A. Grimes, cybersecurity expert and author of “Hacking Multifactor Authentication”
Just like many financial and IT companies, Bitcoin companies have been the target of several data breaches where attackers have obtained customer email addresses and phone numbers.
Even without these violations, finding someone’s email addresses and phone numbers is not particularly difficult (as mentioned in previous articles, best practice is to use a separate email and phone number for your Bitcoin accounts).
With these emails, attackers can conduct phishing attacks and intercept the login credentials: both passwords and multi-factor authentication you’ve used as a second authentication factor for all your accounts.
Let’s take a look at a typical MITM phishing attack process:
- You click on a link (or scan a QR code) and you’re taken to a site that looks very similar to the legitimate site you want to access.
- You enter your login information and are then prompted for your MFA code, which you enter.
- The attacker then captures the access session for successful authentication to the legitimate website. You might even be redirected to the valid site and never know you’ve been hacked (note that the session token is usually only good for the one session).
- The attacker then has access to your account.
As an aside, make sure you have MFA associated with withdrawals on a wallet or exchange. Convenience is the enemy of security.
Phishing-resistant MFA
To be resistant to phishing, your MFA should be an Authenticator Assurance Level 3 (AAL3) solution. AAL3 introduces several new requirements beyond AAL2, the most important of which is the use of a hardware-based authentication. There are several additional authentication properties required:
- Verifier Impersonation Resistance.
- Verifier compromise resistance.
- Authentication purpose.
Fast Identity Online 2 (FIDO2) and FIDO U2F are AAL3 solutions. Going into the details of the various FIDO standards is beyond the scope of this article, but you can read a bit about it at “Your Complete Guide to FIDO, FIDO2 and WebAuthn.” Roger Grimes recommended the following AAL3-level MFA providers in March 2022 in his LinkedIn article “My List of Good Strong MFA.”
MFA hardware keys and smart cards
Hardware keys, such as the Yubikey, are less hackable forms of MFA. Instead of a generated code you type in, you press a button on the dongle to authenticate. The hardware key has a unique code that is used to generate codes to verify your identity as a second factor of authentication.
There are two caveats to hardware keys:
- Your app must support hardware keys.
- You may lose or damage the hardware key. Many services allow you to configure more than one hardware key. If you lose the use of one, you can use the spare.
Smart cards are another form of MFA with similar phishing resistance. We won’t go into the details here, as they seem less likely to be used for Bitcoin or Lightning-related MFA.
Mobile: Limited slots require hardware devices
Another consideration for multi-factor authentication is whether you’ll ever be in a situation where you need MFA and can’t use a cell phone or smartphone.
There are two major reasons why this can happen for bitcoin users:
- Low or no cell coverage
- You do not have or cannot use a smartphone
There may be other restrictions on mobile phone use due to customer-facing work environments or personal preferences. Call centers, elementary schools, or high-security environments such as research and development labs are some areas where phones are restricted, so you won’t be able to use your phone’s authenticator app.
In these special cases where you use a computer and don’t have a smartphone, you need a smart card or hardware key for MFA. You also need your application to support these hardware options.
Also, if you can’t use your cell phone at work, how are you going to stack rate on the toilet during your break?
Towards more robust MFA
MFA can be hacked and your accounts can be compromised. However, you can better protect yourself with more resilient and phishing-resistant MFA. You can also choose MFA that is not linked to your phone number and that has an adequate backup mechanism or the ability to have a spare key.
Ongoing defense against cyberattacks is a continuous game of cat-and-mouse, or whack-a-mole. Your goal should be to become less hackable and less traceable.
Additional Resources:
This is a guest post by Heidi Porter. Opinions expressed are entirely their own and do not necessarily reflect the opinions of BTC Inc. or Bitcoin Magazine.
