2.1 Multi-factor Authentication
Basics
Many districts are exploring - or have implemented - the use of multi-factor authentication for added security. This is a multi-step login process that requires users to verify themselves with more information than just a password.
Terms to Know
You should know the following terms:
- Multi-factor Authorization (MFA)
- Authentication app
- MFA Prompt Bombing
- SIM-swapping
Information
The Value of Multi-factor Authorization
Strong passwords are an important first step in combating security risks on your network, but even though you may follow guidelines to generate strong passwords, you can’t guarantee everyone on your network will be as diligent. Usernames and passwords alone aren’t enough, as witnessed by the rise in identity theft and malicious attacks against school networks. Verizon's 2022 Data Breach Investigations Report notes that more than 80 percent of account breaches could be attributed to stolen credentials (username and passwords), with more than 90 percent of these incidents involving web applications. The report calls it “one of the most tried-and-true methods to gain access to an organization for the past four years.” The report notes that attackers steal credentials through brute force attacks using automation to crack passwords, malware, reused passwords from other sites that have been breached, and social attacks such as phishing.
You may already access a variety of resources that require an additional step to verify your identity. Two-Factor Authentication (2FA) requires users to present two types of authentication, while Multi-Factor Authentication (MFA) requires users to present at least two, if not more types of authentication. This means that all 2FA is an MFA, but not all MFA is a 2FA. On commercial websites and services, you may already do this by receiving a special code texted to your phone after entering a password. Schools have multiple options, and you need to understand the MFA procedures your district employs and your obligations for implementing or supporting those procedures.
MFA strategies are often described as belonging to one of three categories:
- Something you know. Something you know can be answers to secret questions that you have identified when creating your account. Secret questions can actually be a weak form of MFA if they request information that is easy to find, such as a mother’s maiden name, last four digits of a social-security-number, a pet, or street name. In systems with these weak secret questions, you can make them more secure by providing false information as the answer. As long as you and the service keep track of the answer that’s provided, it doesn’t matter whether it’s factual or not.
- Something you have. For personal accounts, many people have a phone that a service can text, call, or use an app. In schools, some staff may not want to use their personal phone as “something they have” to verify their identity. Schools can still create physical tokens that are something users have, such as smart cards, a key fob, or even a USB drive. With many schools requiring identification, a smart card on a lanyard is something many staff and students have access to.
- Something you are. This third category of MFA relies on some type of biometric identification. Computers and phones have used fingerprint and facial recognition for years. It’s not too far-fetched to consider biometric identification in schools, as many schools have been using fingerprints or other biometrics to identify students in cafeterias and on buses for many years.
You should understand which types of MFA are supported by your district and your role in responding to requests related to MFA. Does your district provide physical MFA resources for staff, such as smart cards or USB drives? Does it use authentication apps, such as Google or Microsoft Authenticator, Duo, or other app-based tools? Some districts will follow a tiered approach to MFA implementation starting with MFA for employees with administrative account access to financial, student information, communication, IT, and security systems (COSN Cybersecurity Toolkit). Because of successful attacks that have allowed attackers to bypass MFA, some consider authentication apps, a USB security key, or biometrics as stronger MFA than text codes and pop-up notifications. You should know what your district requires and how to support it.
Some ways entry-level technicians may be required to support MFA include actively logging in to test before and after MFA is enabled to determine functionality. You may also be asked to reset MFA if a second factor changes, like when an employee requires a new physical factor or their account information is updated. You should follow appropriate SOP strictly to be sure you are verifying any requests for changes in credentials.
Attacks on Multi-factor Authorization
Simply setting up MFA is not sufficient to prevent attackers from compromising your users and obtaining their credentials. Several known cybersecurity risks target MFA systems. You should understand and recognize these attempts as well as keep abreast of new risks as they are identified.
MFA Prompt Bombing is conducted by an attacker who has some account credentials for a user but not the ability to respond to MFA, so they try to “prompt” the user to accept an MFA notification.. Using stolen credentials, the attacker creates a fake account, such as an email account, and triggers MFA requests to the original user’s device. These may occur at night or sometimes repeatedly to attempt to catch the user off guard or once they’re upset. Some attackers may actually contact the user or pose as IT support. If the user does confirm one of the requests, the attacker can then register a different device as a trusted device for MFA, giving them full access to the user’s account.
Your end users face additional attacks to their MFA--ones they may not realize have occurred until too late. The FBI has identified that cyber criminals can steal user credentials by contacting a telecommunications company representative and convincing them to share identification information from a user’s phone to theirs. Often the attackers are fortified with ample personal information for the person they are attacking. It’s an attack referred to as SIM-swapping. Mobile phones use SIM cards to store user data, and if an attacker can successfully obtain that information, perhaps by pretending to have damaged “their” phone and requesting the SIM information, they can use it to activate a different phone. The act essentially deactivates the user’s phone and the new phone will replace it and now receive all phone and text messages from the original user. The attacker can use it to take over any online accounts associated with the phone, like a district email or cloud storage account.
Your users can help combat against being a victim of one of these crimes by being judicious about the information they share online and through social media. They should keep Personally Identifiable Information (PII) private. They should also become more savvy about phishing attempts, fake websites, disguised emails and URLs, and other common cyber attacks.
Additional Resources
Here are additional resources you may find useful:
- MFA Enhancement Guide. Cybersecurity & Infrastructure Security Agency.
- Google 2-Step Verification
- Microsoft's guide on Security info & security codes
- Duo Guide on Two-Factor Authentication
- Authy Guide on What Is 2FA
Task/Self-Assessment
Complete the following task or self-assessment:
Know the standard operating procedures you must follow for keeping user credentials secure and, if necessary, changing them. Know the steps you must take to verify a user and how you can securely share their information before changing any aspect of their credentials. Imagine a staff member or student that needs help setting up two-factor authentication for their email account or district login. Some people may not understand the need for MFA. Create a step-by-step guide to assist the user in this process. It can be a document, short video, or infographic. Your guide should be targeted at the age and experience of the audience you’ve selected and should include the following:
- An explanation of any terms or concepts the user needs to understand before setting up MFA;
- Detailed step-by-step directions on enabling MFA in your district’s account management or email system; and
- Any advice or tips on how the user should maintain their MFA (e.g., updating their mobile device number if it changes).