Multi-factor authentication (MFA) is a form of verification that allows a user to securely log into a password-protected account and has become a popular cyber insurance minimum requirement in recent years. These types of authentication can be used in tandem with an already existing password as a means of enhancing safety. MFAs simply require users to further prove their identity before gaining access to an account.
To prove which form of MFA resulted in the least amount of account takeovers, Coinbase, a leading crypto exchange platform, conducted a search by analyzing their user’s account takeovers. The study suggests that some forms of MFA are more effective than others. This article will explore how and why that is.
What is Multi-Factor Authentication (MFA)?
The process of multi-factor authentication helps websites determine that the correct person is
trying to gain access. There are three types of authentication:
- something you know
- something you have
- something you are
Something you know is simply the use of a password or code. Something you have is the use of a physical object to gain access to an account, such as a key or a USB. Something you are is the hardest to crack because it cannot be replicated, like facial recognition or a fingerprint. Within the first two forms of authentication, there is an abundance of different methods known as multi-factor authentication.
Different Types of MFA
There are quite a few different types of multi-factor authentication methods and each has its strengths and weaknesses. Some of the most popular forms are SMS/text-based codes, time-based one-time passwords (TOTP), push-based authentication, and physical security keys (FIDO).
SMS/Text-Based Codes
SMS or Text-Based Code is a very popular type of multi-factor authentication because it is easy and convenient to use. This form of MFA requires no additional hardware or software in order to prove authentication, all you need is a phone that receives text messages. SMS works by sending you a text message with a time-sensitive code that you enter upon logging in to your account. The problem with this form of authentication is that SIM cards and phone numbers can be cloned or hijacked. Hackers can access your phone’s text messages and gain access to your MFA code, granting them access to your account. The percentage of account takeovers with this method of multi-factor authentication is 95.65%.
Time-Based One-Time Passwords (TOTP)
Time-based One-Time Password or TOTP is a multi-factor authentication that works by generating randomized, unique numeric time-based passwords that the user then inputs into their account in order to log in. This type of authentication offers high protection with an account takeover percentage of 4.13%. But with every MFA there are always downsides. In the case of TOTP, another app must be downloaded to access the numeric password, meaning that the user must have a smartphone on hand. Additionally, the need to download an app makes this MFA method vulnerable to malware or user error by accidentally approving an illegitimate login attempt.
Push-Based Authentication
Push-based authentication is a type of passwordless multi-factor authentication method. It requires the user to approve a push notification that appears on the user’s mobile device. The push notification is sent by the service provider and once approved by the user they are granted access to log in. This type of MFA has an account takeover percentage of .18%.
The downside here is that hackers have targeted users, having them unknowingly approve a push notification for a login request or a transaction. In some cases, this type of attack is called MFA bombing. You can read more about this term in our 2023 Glossary of Cyber Insurance Terms.
Physical Security Keys
The most secure form of multi-factor authentication is security keys. This has an account takeover percentage of .04%. Often referred to as FIDO, this method of authentication requires a physical security key that you insert into a device for authentication. The key is quite small, usually the size of a flash drive, and it cannot be copied making it extremely secure. While it is the most effective, it has the most obvious weakness out of any MFA method, it can get lost or stolen since it is a physical object after all.
To conclude, the Coinbase case study indicated that their users have had the lowest percentage of account takeovers with the FIDO or security key multi-factor authentication method. FIDO is the most secure MFA method because it involves authenticating a device with a physical key… just make sure your insureds don’t misplace it.
It is important for cyber insurance brokers and underwriters to be able to accurately determine the level of protection that their insureds’ MFA has when filling in policy application forms and calculating the potential risk that issuing a policy would add to a carrier’s portfolio.