This is an opinion editorial by Heidi Porter, an entrepreneur with 35 years in technology.
Hacks will continue to happen where your account is compromised or people are sent to a nefarious site and accidentally download malware instead of verified software.
This will be the first in a series of articles around more resilient user security for your accounts, nodes and apps. We’ll also cover better email options, better passwords and better use of a virtual private network (VPN).
The reality is that you’ll never be completely secure in any of your online financial transactions in any system. However, you can implement a more resilient toolset and best practices for stronger security.
What Is Multi-Factor Authentication And Why Do I Care?
According to the Cybersecurity and Infrastructure Security Agency, “Multi-factor authentication is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login.”
When we log into an online account, we’re often aiming to thwart an attacker or hacker using extra layers of verification — or locks.
Compared to your own home, multiple locks give more security. If one form of authentication is good, such as a password, then two forms (aka MFA) can be better.
Note that if you ONLY use biometric authentication, that is single-factor authentication. It’s just the biometric of whatever modality you’re using: thumb, iris, face recognition, etc. If you use 1 hardware key without a passphrase, that is also single-factor authentication.
However, if a biometric or key is used as a 2nd factor, it can meet the goal of multifactor authentication and be more secure than many app-based MFA.
With MFA, you must use at least 2 of these 3 authentication mechanisms:
- Something you know (password, PIN, etc)
- Something you have (code, device)
- Something you are (fingerprint or other biometric)
Where Should I Use MFA And What Kind Of MFA?
With MFA, you must have at least two authentication mechanisms.
If or when they eventually support MFA, at a minimum, you should have MFA set up for your:
- Bitcoin exchanges (but get your funds off them ASAP after buying).
- Bitcoin nodes and miners.
- Bitcoin and Lightning wallets.
- Lightning apps, such as RTL or Thunderhub.
- Cloud providers, such as Voltage accounts.
Note: Each account or application needs to support the type of MFA that you are using and you must register the MFA with the account or application.
MFA providers often include less secure options such as:
- SMS, Phone, or E-mail One-time passwords (OTPs) or Time-based One-Time Passwords (TOTP)
- Mobile push-based authentication (more secure if managed properly).
MFA providers sometimes also include more secure options such as:
- Authenticator apps.
- Biometric verification.
- Hardware keys.
- Smart cards.
Guess what type of MFA most legacy financial institutions use? It’s usually one of the less secure MFA options. That said, authenticator apps and hardware keys for MFA are not all created equal.
MFA And Marketing Misinformation
First, let’s talk about the marketing of MFA. If your MFA provider touts itself as unhackable or 99% unhackable, they are spouting multi-factor B.S. and you should find another provider. All MFA is hackable. The goal is to have a less hackable, more phishing resistant, more resilient MFA.
Registering a phone number leaves the MFA vulnerable to SIM-swapping. If your MFA does not have a good backup mechanism, then that MFA option is vulnerable to loss.
Some MFA is more hackable.
Some MFA is more trackable.
Some MFA is more or less able to be backed up.
Some MFA is more or less accessible in some environments.
Less Hackable and Trackable MFA
Multi-factor authentication is more securely accomplished with an authenticator app, smart card or hardware key, like a Yubikey.
So if you have an app-based or hardware MFA, you’re good, right? Well, no. Even if you are using app-based or hardware MFA, not all authenticator apps and hardware devices are created equal. Let’s look at some of the most popular authenticator apps and some of their vulnerabilities with tracking, hacking and backing up.
- Twilio Authy requires your phone number, which could open you up to compromise via SIM-card-swap. Initial setup is SMS. Note: How comfortable are you with Authy given the recent internal data breach at Twilio?
- Microsoft Authenticator doesn’t require a phone number, but can’t transfer to Android as it is backed up to iCloud.
- Google Authenticator also doesn’t require a phone number, but does not have online backup and is only able to transfer from one phone to another.
In addition, all of these apps are considered by some to be less resilient and open to phishing or man-in-the-middle (MITM) attacks.
How Your Accounts And Finances Can Be Compromised
“People should use phishing-resistant MFA whenever they can to protect valuable data and systems” – Roger A. Grimes, cybersecurity expert and author of “Hacking Multifactor Authentication”
Just like many financial and data companies, Bitcoin companies have been the target of multiple data breaches where attackers have obtained email addresses and phone numbers of customers.
Even without these breaches, it’s not especially hard to find someone’s email addresses and phone numbers (as mentioned in previous articles, best practice is to use a separate email and phone number for your Bitcoin accounts).
With these emails, attackers can perform phishing attacks and intercept the login credentials: both password and multi-factor authentication you have used as a second authentication factor for any of your accounts.
Let’s take a look at a typical MITM phishing attack process:
- You click a link (or scan a QR code) and you are sent to a site that looks very similar to the legitimate site you want to access.
- You type in your login credentials and then are prompted for your MFA code, which you type in.
- The attacker then captures the access session token for successful authentication to the legitimate site. You might even be directed to the valid site and never know that you have been hacked (note that the session token is usually only good for that one session).
- Attacker then has access to your account.
As an aside, be sure you have MFA attached to withdrawals on a wallet or exchange. Convenience is the enemy of security.
To be resistant to phishing, your MFA should be an Authenticator Assurance Level 3 (AAL3) solution. AAL3 introduces several new requirements beyond AAL2, the most significant being the use of a hardware-based authenticator. There are several additional authentication characteristics that are required:
- Verifier impersonation resistance.
- Verifier compromise resistance.
- Authentication intent.
Fast Identity Online 2 (FIDO2) is an AAL3 solution. Going into the details about the different FIDO standards are beyond the scope of this article, but you can read a bit about it at “Your Complete Guide to FIDO, FIDO2 and WebAuthn.” Roger Grimes recommended the following AAL3-level MFA providers in March 2022 in his LinkedIn article “My List of Good Strong MFA.”
Important Note: Although I have not looked into all of these for my personal use, I believe any Bitcoin builder or Bitcoin company SHOULD ask their third-party providers or integration providers to provide details about what kind of MFA provider they use and ensure that it is phishing-resistant.
MFA Hardware Keys And Smart Cards
Hardware keys, like Yubikey, are less hackable forms of MFA. In addition, your phone number is not tied to the key, so it is less trackable. (I use Yubikey). Instead of a generated code that you enter, you press a button on your hardware key to authenticate. The hardware key has a unique code that is used to generate codes to confirm your identity as a second factor of authentication.
There are two caveats for hardware keys:
- Your app needs to support hardware keys.
- You can lose or damage your hardware key. Many services do allow you to configure more than one hardware key. If you lose the use of one, you can use the spare.
Smart cards are another form of MFA with similar phishing resistance. We won’t get into the details here as they seem to be less likely to be used for Bitcoin or Lightning-related MFA.
Mobile: Restricted Spaces Require Hardware Devices
Another consideration for multi-factor authentication is whether you would ever be in a situation where you need MFA and cannot use a cell phone or smartphone.
There are two big reasons this could happen for bitcoin users:
- Low or no cell coverage
- You don’t have or can’t use a smartphone
There can be other restrictions on cell phone use due to customer-facing work environments or personal preference. Call centers, K-12 schools or high-security environments like research and development labs are some areas where phones are restricted and you would therefore be unable to use your phone authenticator app.
In these special cases where you are using a computer and don’t have a smartphone, you would then need a smart card or hardware key for MFA. You would also need your application to support these hardware options.
Also, if you cannot use your cellphone at work, how are you supposed to stack sats in the restroom on your break?
Toward More Resilient MFA
MFA can be hacked and your accounts can be compromised. However, you can better protect yourself with more resilient and phishing-resistant MFA. You can also choose MFA that is not tied to your phone number and has an adequate back-up mechanism or ability to have a spare key.
Ongoing defense against cyber attacks is a continuing game of cat-and-mouse, or whack-a-mole. Your goal should be to become less hackable and less trackable.
- “Multi-Factor Authentication”
- “Digital Identity Guidelines”
- “Don’t Use Easily Phishable MFA and That’s Most MFA”
- “Hacks That Bypass Multi-Factor Authentication and How to Make Your MFA Solution Phishing Resistant”
- “Best practices for securing mobile-restricted environments with MFA”
This is a guest post by Heidi Porter. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc. or Bitcoin Magazine.