2.1 Multi-factor Authentication

You should know the following terms:

• Multi-factor Authorization (MFA)
• Authentication app
• MFA Prompt Bombing
• SIM-swapping

The Value of Multi-factor Authorization

Strong passwords are an important first step in combating security risks on your network, but even though you may follow guidelines to generate strong passwords, you can’t guarantee everyone on your network will be as diligent. Usernames and passwords alone aren’t enough, as witnessed by the rise in identity theft and malicious attacks against school networks. Verizon's 2022 Data Breach Investigations Report notes that more than 80 percent of account breaches could be attributed to stolen credentials (username and passwords), with more than 90 percent of these incidents involving web applications. The report calls it “one of the most tried-and-true methods to gain access to an organization for the past four years.” The report notes that attackers steal credentials through brute force attacks using automation to crack passwords, malware, reused passwords from other sites that have been breached, and social attacks such as phishing.

You may already access a variety of resources that require an additional step to verify your identity. Multi-factor authentication (MFA) requires users to submit multiple types of information or complete at least two types of actions to identify themselves. On commercial websites and services, you may already do this by receiving a special code texted to your phone after entering a password. Schools have multiple options, and you need to understand the MFA procedures your district employs and your obligations for implementing or supporting those procedures.

MFA strategies are often described as belonging to one of three categories:

1. Something you know. Something you know can be answers to secret questions that you have identified when creating your account. Secret questions can actually be a weak form of MFA if they request information that is easy to find, such as a mother’s maiden name, last four digits of a social-security-number, a pet, or street name. In systems with these weak secret questions, you can make them more secure by providing false information as the answer. As long as you and the service keep track of the answer that’s provided, it doesn’t matter whether it’s factual or not.
2. Something you have. For personal accounts, many people have a phone that a service can text, call, or use an app. In schools, some staff may not want to use their personal phone as “something they have” to verify their identity. Schools can still create physical tokens that are something users have, such as smart cards, a key fob, or even a USB drive. With many schools requiring identification, a smart card on a lanyard is something many staff and students have access to.
3. Something you are. This third category of MFA relies on some type of biometric identification. Computers and phones have used fingerprint and facial recognition for years. It’s not too far-fetched to consider biometric identification in schools, as many schools have been using fingerprints or other biometrics to identify students in cafeterias and on buses for many years. 

You should understand which types of MFA are supported by your district and your role in responding to requests related to MFA. Does your district provide physical MFA resources for staff, such as smart cards or USB drives? Does it use authentication apps, such as Google or Microsoft Authenticator, Duo, or other app-based tools? Some districts will follow a tiered approach to MFA implementation starting with MFA for employees with administrative account access to financial, student information, communication, IT, and security systems (COSN Cybersecurity Toolkit). Because of successful attacks that have allowed attackers to bypass MFA, some consider authentication apps, a USB security key, or biometrics as stronger MFA than text codes and pop-up notifications. You should know what your district requires and how to support it.

Some ways entry-level technicians may be required to support MFA include actively logging in to test before and after MFA is enabled to determine functionality. You may also be asked to reset MFA if a second factor changes, like when an employee requires a new physical factor or their account information is updated. You should follow appropriate SOP strictly to be sure you are verifying any requests for changes in credentials.

Attacks on Multi-factor Authorization

Simply setting up MFA is not sufficient to prevent attackers from compromising your users and obtaining their credentials. Several known cybersecurity risks target MFA systems. You should understand and recognize these attempts as well as keep abreast of new risks as they are identified. 

MFA Prompt Bombing is conducted by an attacker who has some account credentials for a user but not the ability to respond to MFA, so they try to “prompt” the user to accept an MFA notification.. Using stolen credentials, the attacker creates a fake account, such as an email account, and triggers MFA requests to the original user’s device. These may occur at night or sometimes repeatedly to attempt to catch the user off guard or once they’re upset. Some attackers may actually contact the user or pose as IT support. If the user does confirm one of the requests, the attacker can then register a different device as a trusted device for MFA, giving them full access to the user’s account. 

Your end users face additional attacks to their MFA--ones they may not realize have occurred until too late. The FBI has identified that cyber criminals can steal user credentials by contacting a telecommunications company representative and convincing them to share identification information from a user’s phone to theirs. Often the attackers are fortified with ample personal information for the person they are attacking.  It’s an attack referred to as SIM-swapping.  Mobile phones use SIM cards to store user data, and if an attacker can successfully obtain that information, perhaps by pretending to have damaged “their” phone and requesting the SIM information, they can use it to activate a different phone. The act essentially deactivates the user’s phone and the new phone will replace it and now receive all phone and text messages from the original user. The attacker can use it to take over any online accounts associated with the phone, like a district email or cloud storage account.

Your users can help combat against being a victim of one of these crimes by being judicious about the information they share online and through social media. They should keep Personally Identifiable Information (PII) private. They should also become more savvy about phishing attempts, fake websites, disguised emails and URLs, and other common cyber attacks.
 

Complete the following task or self-assessment:

Does your district use multi-factor authentication for all or some of the users?

• If not, create a list of pros and cons for implementing it, along with which users should be using it.
• If so, what types of MFA are (or might be) supported by your district?