In the recent past, two-factor authentication (2FA) has replaced single-factor authentication, which only required users to provide usernames and passwords before accessing their accounts. Today, 2FA has become one of the most reliable forms of cybersecurity measures by allowing users to authenticate before logging into an account by presenting more than one method of identification before getting logged in.
However, events like the 2020 Twitter hack and the recent Uber cyberattack showed us that even the most sophisticated 2FA cybersecurity measures could be compromised.
What is Two-Factor Authentication?
Two-factor identification is a cybersecurity measure that requires two forms of identification to access resources and data. When used correctly, the method is a more secure form of verification than its predecessor, single-factor authentication, which relied on usernames and passwords to secure resources, data, and user accounts.
In this method, users must first provide the username and password they usually use to access their accounts or data. After successfully verifying the fast factor, they are prompted to use another factor, such as a security token, biometric data, or a one-time security code sent to their mobile phones. If a user successfully uses the first method of usernames and passwords and fails the second method of providing a second authentication factor, access to the system is denied.
Types of Authentication Factors
As stated above, after going through the first phase, which is required to access an account or a computer system, users are prompted with a second authentication factor that they must use to verify their identity. Some of these 2FA methods that are most commonly used are:-
1. Possession Factor: This type of authentication factor uses something that a user has. Examples of these types of authentication factors include a mobile phone, a security token, or a digital ID card that can be used for swiping to approve authentication requests. This is the most common form of 2FA.
2. Knowledge Factor: This type of identification involves requesting something only a user knows. A good example is when a message is sent to you, and you are required to enter the security code. The use of personal identification numbers (PINs) also falls into this category.
3. A Location Factor: In this type of 2FA, the location where the user is trying to access data is used to determine whether to grant them access. For instance, users may be denied access if they are not within the premise of a given network. The method also makes use of Global Positioning System (GPS) and Internet Protocol addresses to determine whether to grant access to users. In most cases, this method of 2FA is automatic, and no action from users is required.
4. Biometric Factor: This method is also commonly referred to as the inherence factor. It uses users’ physical attributes, such as thumbprints, eyes, faces, e.t.c., to grant access to data or accounts. The method has become extremely popular in recent years because it prevents cyber criminals from launching attacks remotely.
5. Time Factor: In this type of authentication, users are given access for only a limited amount of time that administrators control. The method also restricts access to a system and data outside of that time period, making it very efficient for most businesses that work 9 to 5.
How is Two-Factor Authentication compromised?
In the recent past, we have seen multiple attacks that involved compromising 2FA and gaining access to entire systems. Therefore, despite the methods being safer alternatives, they are still prone to attacks. Below are some methods that can be used to compromise your veterinary practice’s 2FA policies:-
1. Multi-Factor Authentication (MFA) fatigue: Whereas two-factor authentication requires users to present two types of authentication and is the most common form of authentication, multi-factor authentication requires at least two types of authentication; otherwise, the two methods are very similar. Therefore, MFA authentication also applies to 2FA and involves users being bombarded with requests to approve the second phase of authentication. After a few hours of constant bombardment, users are usually very tired, and cybercriminals can get their way by tricking them into how to stop the authentication requests. The method was used in the recent Uber 2FA cyberattack.
2. SMS-based man-in-the-middle: One of the most commonly used methods of 2FA is text messages to send a one-time security code to verify a user. Unfortunately, it is also one of the most unsafe methods, as cybercriminals can easily compromise smartphones and assign the phone number temporarily to a phone under their control. There is a high likelihood that text messages on your phone can easily be accessed by cybercriminals determined to compromise your computer systems.
3. Server-side forgeries: The recent Microsoft Exchange Server compromise was a perfect example of how authentication can be disabled using server-side forgeries. In this type of attack, any type of verification will be stopped by cyber criminals using server-side forgery and arbitrary files to write bugs that nullify authentication and verification requests.
4. Pass-the-cookie attacks: One of the methods used by most websites to ensure you don’t need to log in every time you visit the site is the use of cookies. Unfortunately, if cybercriminals access these cookies, they can use them to access your account without needing to log in.
What Veterinary Need to do
As shown above, cybercriminals can still be able to access your veterinary practice’s computer systems and accounts despite using 2FA. Fortunately, most of the methods used to compromise 2FA can be addressed through proper training, ensuring software and hardware used in your veterinary practice are updated and using a firewall to prevent access to your computer system remotely. Seeking professional help to solve your cybersecurity issues can also address problems with 2FA compromise.
Need help protecting your veterinary hospital data?
Start by downloading our FREE ebook. “5 Simple Steps to Protect Your Practice“. It includes 5 simple FREE or low cost tools you can use to boost your cyber security profile.
Clint Latham