Hardening Multi Factor Authentication

Multi Factor Authentication (MFA, 2FA) is great, and it is universally recommended that if a service supports multi factor authentication, it should be enabled. It’s so effective that Microsoft has found that Multi Factor Authentication can thwart 99.9% of attacks on your accounts. But what about that 0.1%?

The Real Risk

The most common way of working with Multi Factor Authentication is by using an SMS text message that is sent to your phone number. This is where the vulnerability lies. Security is only as strong as its weakest link and in this case, the weakest link is your cellular carrier.

There are two basic types of attack that involve your cellular phone/account. SIM Cloning/Swapping attacks and Port Out attacks.

SIM Swapping

Sim cloning happens when a person is able to make a copy of the SIM card in your phone leaving them able to put that into a device of their own and make the carrier think that their phone is now tied to your number. Another variation of this attack involves the attacker convincing the carrier or an employee at the carrier to change the SIM tied to your phone number to a different SIM that they have. At this point they have full control over your phone number and can do as they please with it, meaning they can potentially initiate password resets and log into any account tied to that phone number.

Port out Attacks

Port out attacks occur when someone initializes a port or transfer of your number from one cellular account or carrier to another. This gives that person control of your phone number and can, at this point, get every Multi Factor Code sent to your phone. Think about how many accounts can be reset or logged into just by getting a code sent to your phone this person can now either log into or reset the password for any account tied to this number.

How to Protect Yourself

Protecting yourself from these types of attacks involves two key parts.

Use Authenticator Apps whenever possible. By using an app installed on your phone to generate authentication codes you are removing the human element from the equation. You are now relying solely on a hardware device that, let’s face it, is likely never farther than an arm length away and makes it nearly impossible for someone to access it without you knowing. In addition to this, many services will allow you to create backup codes that can be written down and stored in a safe location if your phone is broken/destroyed/stolen that you can use to quickly get back into those accounts to secure them.
Unfortunately, not every service has the capacity to use an authenticator app. Here we still need to rely on our cellular provider to keep things secure.
- The first step is simple, enable Multi Factor Authentication for your cellular account. Doing this keeps attackers out of your account and prevents an unauthorized change of your phone/number.
- Enable Port Out Protection. Typically for a phone number to be ported a carrier will require the account number and PIN associated with the account, this may vary but this is the most common. Not every cellular carrier offers this but the major carriers in the US support it (Verizon, AT&T, T-Mobile) and it can usually be enabled through your online account settings. This essentially puts a freeze on the number requiring, you guessed it, Multi Factor Authentication to initialize the transfer.

By following the steps above and working with your wireless provider’s built-in security options you will be able to greatly increase the security of ALL of your accounts that are tied to your phone number and make a possible security disaster a worry of the past.