This article was feature in the Australian Financial Review on Friday 25 November 2022.
As hackers increasingly use stolen credentials as the initial attack vector for data breaches, "silent" multi-factor authentication offers organisations the ability to strengthen their defences without trading off convenience for security.
Data records containing stolen credentials, such as usernames and passwords, are the perfect treasure trove for hackers looking to launch their next wave of data breaches. Compromised credentials are involved in 61 per cent of all data breaches, according to Verizon's 2021 Data Breach Investigations Report. Multi-factor authentication (MFA) offers an extra line of defence against unauthorised access, by demanding that users authenticate themselves using both something they know and something they have. The something they know is their username and password, while the something they have is often a one-time code sent to their mobile phone. Having just one of these is not enough, users need both pieces of the puzzle before they are granted access.
MFA is extremely effective, blocking 99.9 per cent of automated account attacks, according to Microsoft. Likewise, Google's research found MFA blocks up to 100 per cent of automated bots, 99 per cent of bulk phishing attacks and 66 per cent of targeted attacks. Even before Australia's latest round of high-profile data breaches, the Australian Communications and Media Authority mandated in June that MFA be used by Australian telcos for all high-risk transactions. One challenge is that employees and general consumers can struggle with the complexity of using MFA and often decline to use it if given the choice. Only 2.6 per cent of Twitter's global user base has enabled MFA because "change is hard and it's inconvenient", according to the Twitter Transparency Centre's latest Account Security Report.
Another challenge is that some forms of MFA, such as sending the one-time code via SMS, are vulnerable to compromise. Attackers can impersonate their intended victim, hijack their mobile phone account and port the number to a new SIM card in order to intercept MFA SMS notifications. Even when obtaining one-time codes via more secure methods, such as a mobile app or key fob, users are still vulnerable to spoof attacks where they are tricked into entering their username, password and one-time code into a bogus website.
A more secure alternative is the use of "silent" multi-factor authentication. It allows devices and websites to automatically exchange one-time codes in the background to authenticate a user's device after they enter their username and password.
Silent MFA can help organisations combat reluctance from users to enable MFA, while also enhancing security by ensuring the one-time code isn't vulnerable to interception – eliminating a potential attack vector, says Dave Maunsell, CEO of Australian cybersecurity provider Haventec. Once users successfully authenticate using their existing username and password, Haventec Silent MFA completes a second authentication check using information from the user's device. A rolling authentication key and the device signature is used to create a rolling private key, which is matched against a rolling public key to complete a second-factor authentication on every login.
"Security features typically enhance protection at the expense of convenience, which might be considered a reasonable trade-off by some, but with Silent MFA you can actually have the best of both worlds – making users both safer and happier when accessing the services and data they value most.
Dave Maunsell, CEO of Haventec
Silent MFA works alongside existing username / password authentication solutions, with no additional steps required by the end user such as receiving codes or using authenticator apps. This allows organisations to automatically utilise MFA every time a user logs in, while removing the risk of them opting out, Maunsell says.
"We also know that many approaches which strengthen security, such as conventional multi-factor authentication, create usability issues that lead to new types of threats while slowing down business," he says. Only 56 per cent of enterprises have implemented MFA, despite it being an effective cyber threat mitigation. Of those enterprises which have implemented traditional MFA, the majority of them do not make it mandatory, with less than one in five customers opting-in to use it despite the enhanced security.
The tendency of consumers to favour weak passwords demands the use of MFA but, despite the technology's best intentions, Maunsell says the complexity that traditional MFA introduces to the user experience goes against the trend of delivering frictionless customer journeys. Reliance on conventional multi-factor authentication can discriminate against people with accessibility issues, which is around 15 per cent of the population, according to the W3C Web Accessibility Initiative. Elderly users can also be confused by the process.
"This makes it very difficult for services to mandate the use of MFA, even though there is growing pressure from the regulators to do so amid growing public concern over privacy and security," Maunsell says. "Security features typically enhance protection at the expense of convenience, which might be considered a reasonable trade-off by some, but with silent MFA you can actually have the best of both worlds – making users both safer and happier when accessing the services and data they value most."