On Data Protection Using Multi-Factor Authentication
Aaron Henricks
The Beacom College of Computer and Cyber Sciences
Dakota State University,
Madison, South Dakota, USA
[email protected]
[email protected]
ABSTRACT
Multi-Factor Authentication (MFA) has been around for three
decades and now authentication and security has taken priority in
securing data. Cyber-attacks have become widely popular and
successful because organizations are poorly prepared to handle
cyber security operations. These organizations hold critical
information about employees, customers and patients. Adding
additional security methods like MFA makes it more difficult for
attackers to successfully exfiltrate data and cause additional
damage. The methods of MFA can be used in combination to
successfully secure data and provide adequate authentication
practices. In this paper, we discuss the implementations of MFA,
privacy behind using more than one authentication method and
also the security concerns related to MFA. We also reveal the
flaws of MFA systems and discuss how these flaws can result in a
security breach.
CCS Concepts
• Security and privacy → Software and application
security → Software security engineering • Security and
privacy→ Security in hardware → Tamper-proof and
tamper-resistant designs • Security and privacy → Human
and societal aspects of security and privacy → Privacy
protections
Keywords
Authentication, Access Token, Cyber Security, Data Breach, Data
Privacy, Encryption, Multi-Factor Authentication (MFA).
1. INTRODUCTION
The idea of Multi-Factor Authentication (MFA) was originally
patented in 1996 by AT&T but has not been adapted to consumer
use until very recently as companies have been slow to adopt the
technology into their platforms [1]. With the increase of cyber
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. Copyrights
for components of this work owned by others than ACM must be honored.
Abstracting with credit is permitted. To copy otherwise, or republish, to
post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from [email protected].
ISSM 2019, October 14–16, 2019, Rabat, Morocco.
© 2019 Association for Computing Machinery.
ACM ISBN 978-1-4503-7289-3/19/10...$15.00
https://doi.org/10.1145/3394788.3394789
Houssain Kettani
The Beacom College of Computer and Cyber Sciences
Dakota State University,
Madison, South Dakota, USA
security attacks, defenders need to stay one step ahead of attackers.
Thus, a single password is no longer the preferred method of
authentication since passwords can be easily guessed or cracked
with the advanced computer hardware that is now readily
available to anyone. Accordingly, the advances in Graphical
Processing Units (GPUs), Application-Specific Integrated Circuits
(ASICs) and Malware-Controlled Botnets (MCBs), has made it
very easy to crack complex passwords [2]. Along with GPUs and
ASICs, the password policies that are adopted from the National
Institute of Standards and Technology (NIST) has contributed to
common users creating basic and easy to remember passwords.
Having users change their password every ninety days has made it
hard for the average user to remember complex and long string
passwords, therefore, resorting to passwords like a season and
year combination [3]. Since passwords alone are no longer
considered safe, MFA appears to be the next big implementation
for security. This paper will discuss the implementations of MFA,
privacy behind using more than one authentication method and
also the security concerns related to MFA.
While MFA does provide another layer of hardened security,
MFA provides indirect security measures to alert if a security
incident arises. Using proper log sources and logging tools,
security analysts can correlate data to determine compromised
accounts. Many times, companies have external password facing
portals that can be accessed by anyone on the Internet. This can
lead to an attack using a password spray of usernames and
passwords to try and compromise an account. By writing rules to
look at multiple bad password attempts with a successful
authentication, but a failure of a secondary authentication method
can result in an alert. Using this alert, security analysts can look at
logging and start an investigation. Investigations can reveal
information such as Internet Protocol (IP) addresses, scanning
activity, and additional compromised accounts. Smart response
plugins used in Security Information and Event Management
(SEIM) can automatically lock out accounts when certain criteria
are met. Proper logging and systems utilizing MFA can see the
hidden benefits of MFA.
Adding another layer of security to an organization can be costly.
The MFA can be a cost-effective way to add additional security
measures to an organization. However, an organization needs to
consider if their infrastructure is able to handle MFA systems.
Many times, organizations run legacy systems that need to be
updated to accept MFA. The latter is not something that can be
thrown into place and not maintained. Organizations need
resources to properly implement MFA and fix any flaws in the
system. Additionally, an organization may need to decide to run
with phone plans or use token generators. Depending on what
infrastructure the organization has in place and the route of MFA
they take, the price of implementation can be costly.
Lastly, as biometric technology becomes the biggest preferred
method of future MFA systems, the threat of cyber security
attacks will begin increasing towards biometric data. The latter is
unique to a person but what happens once that biometric data is
leaked? The equivalent of biometric being stolen is having a
password stolen. You can change a password but how can
someone change their fingerprint? Reversing DNA is a far-out
technology but advances in science, the ability to recreate physical
body components from DNA or biometric information will
continue to grow. The idea of MFA has been around for quite
some time but the implementation of MFA into services people
use every day is still fairly new.
The rest of this paper is organized as follows. Section 2 discusses
the challenges, methods, and benefits of implementing MFA into
an organization. Section 3 goes in depth about security flaws
within MFA and future targets cybercriminals will exploit to
defeat biometric authentication. Section 4 presents concluding
remarks.
2. MFA IMPLEMENTATIONS
There are several forms of Multi-Factor Authentication (MFA)
that are being adapted to consumer and commercial grade
products. For example, Short Message Service (SMS) text
messaging has provided an additional step when logging in. This
is done by linking an account with a phone number, then a
confirmation code will be sent to authenticate the user [4].
Another example is biometrics, which has been around for a while
and has been recently adapted into smartphone technologies.
Biometrics is a secure way to authenticate the user for whom they
say they are. A physical unique identifier such as an iris or
fingerprint can be used as another form of authentication. There
are ways around biometric technology, but biometrics has been
proven over time to work very well [5]. The most common form
of MFA is using an application on a cellular device. More
companies are linking Two-Factor Authentication (2FA) methods
to their platforms utilizing companies that specialize in security
such as Google Authenticator, LastPass, and DUO Security.
These apps give the user a six-digit combination that changes
every thirty seconds and is synchronized with the company’s
servers. Instead of a six-digit number, a prompt on a smartphone
will let the user accept or reject the authentication attempt. Before
mobile applications, key cards were used to generate codes for
authentication. These codes commonly referred to as tokens and
have paved the base to transform MFA into a more adapted
concept. The world has become a technologically advanced
society where people are now taking security as a priority. More
individuals are knowledgeable about technology and have
technological devices such as smartphones to integrate additional
forms of authentication practices.
Authentication methods can be broken down into three categories
such as something known, something owned and something you
are. Something known can be a secondary password or phrase [6].
Not as secure as additional security methods but can still be
categorized as an MFA method. This method can be subject to
social engineering attempts or open-source intelligence to
determine what the second form of authentication could be. When
referring to something owned this may be a keycard you have to
swipe after an additional password, or the token used from a third-
party application such as DUO Security. This practice has become
widely adopted by organizations since it is considered to be the
safest and most secure method of MFA. Lastly, something you are
is referenced to as biometrics which looks to take unique
identifiers and physical characteristics to make identifiable
authentication possible. With a combination of something you
know and something you are can make a difficult combination to
compromise. Physical attributes are unique to one person and
everyone has unique DNA sequence or fingerprints. The point of
MFA is to prove that the user is actually who they say they are.
Biometrics provides a hard to replicate form of authentication.
Mix and matching a password and a form of authentication or two
forms of duo authentication such as biometrics and a token makes
it even more secure [6]. There are millions of combinations of
passwords, pins, and methods of authentication that can be used to
secure data and users.
In proof of concept testing, MFA has shown to be very difficult to
defeat even with inside knowledge. As more organizations turn to
enable and adding additional authentication methods, comes into
the concern of adding additional resources to the company [6].
Depending on the type of authentication, smartphones or smart
devices may be purchased or maintained to provide adequate
support. Projects cannot be implemented and left to function all
the time. There may be overhead to the addition of MFA but key
card readers that provide tokens is still a secure way to
authentication users. Along with the maintenance of the
authentication system, systems need to be up to date or changed to
allow multi-authentication to work. Legacy systems may not
provide the capability to host such resources. There are no one-
size fits all when dealing with authentication systems as each
organization has its own needs and depending on those needs may
require different authentication methods [7]. There can be a large
overhead when integrating a secure system. Many companies put
tasks, production, and convenience before security needs. This is
partially why the rollout of secondary authentication has proven to
be relatively slow. Companies need to realize the harmful
consequences of not pushing security as the first priority. It may
be understandable why security is not a top concern since it is a
support system while production is the money-making method.
What will it take for companies and organizations to realize that
security should be the number one priority? Sadly, history shows
that security is an afterthought. A security incident will have to
occur where the company takes a large financial loss before the
system security is enhanced.
Using MFA can give an early indication of a compromise. It can
also lead to determining compromised accounts by advanced
logging. Analyzing logs where users authenticate properly but fail
the secondary authentication method or have the authentication
method time out can trigger a rule and give a security analyst an
alarm that this traffic was happening within the network. Logs
forwarded to a SEIM tool such as Splunk or LogRhythm can give
an analyst a secondary look of what happened when
authentication was failed. This also gives an IP address that can be
pivoted on to see what else that attacker was doing. There may be
additional information about reconnaissance or additional
resources being targeted. External facing infrastructure is the
primary target for attackers. Logging can give a good indication
of a compromised user but without the secondary form of
authentication, the account is rendered useless unless a token can
be hijacked, or a vulnerability used to bypass the authentication
method. Any critical infrastructure or systems should have an
MFA method enabled. It creates a thickened layer of security that
can be very difficult to bypass. This eliminates a point of entry
where another attack vector has to be used. It makes it much
harder for an attacker to pivot around an organization if they do
not have domain credentials. Data privacy is a big concern to
consumers, organizations and just about everybody. The
protection of data is crucial in hiding private information. A
system can be patched a thousand times but there will always be a
vulnerability within it. Organizations are taking initiatives to
patch vulnerabilities and reduce the risk of a data breach by
adding MFA methods and providing support to limit the
possibility of a data breach or incident beings with proper
password management and authentication methods.
3. MFA SECURITY FLAW
There is no such thing as a perfectly secure system. Facts need to
be brought forward to prove the security analyst’s hypothesis of
what occurred in an incident. This goes the same when assuming
that infrastructure can be absolutely secure. An analyst cannot
assume anything and to think otherwise provides an additional
risk to an organization. Security analysts can provide additional
resources to reduce the risk of a security incident but that does not
make it always secure. The mindset of a security analyst is that
anything can happen at any time. A new vulnerability found
yesterday could be used in an attack and there are no available
patches to fix the issue. Adding additional resources can limit the
possibility but even with these additional resources, vulnerabilities
can live within them. A security flaw does not have to live in
MFA. Social engineering has become a favorite of attackers
because of the success behind it. Users are the best resource for a
company but also the easiest way for an attacker to access
information owned by an organization. There are ways around
MFA and this section explores such security flaws.
Security flaws exist in a lot of consumer grade software. While
most of the security flaws are uncovered in the testing phase,
security flaws are always being uncovered in software that has
been released for many years. Security flaws can lead to leaking
of data and private information. It does not take the exploit of an
MFA flaw to compromise itself. Other systems can be exploited
to gain secondary authentication success. Biometrics is a great
example of that. Biometrics is unique to a person and that person
may use their fingerprint or some other physical characteristic to
authenticate. This information is stored somewhere else. An
attacker could target a database of stored biometric data. The
compromise of physical traits used in biometrics is a big concern
[5]. With that data of biometrics of others, an attacker could use
this information to replicate biometric features such as a
fingerprint to pass MFA. This proves to be a great vulnerability if
an attacker is able to actually use the information. This is the
biggest problem behind this compromise. The attackers actually
have to do something with the data to make it a threat [5]. As
technology has advanced, so has biology research. The
reconstruction of biometric entities based on DNA has become
more of a reality than futuristic movie betrayals. Fingerprint
brute-forcing has been discussed in the past as a method to defeat
biometrics. Using an application that is allowed to send templates
to a system can start out using a simple fingerprint template. An
attacker then can modify the pixels and keep resubmitting until
successful authentication. However, this does not stop at
fingerprints, as facial recognition can also be altered [8]. To stop
attacks like brute-forcing, putting a threshold for a number of tries
would stop this type of attack. However, manipulation of a
biometric device could bypass this security feature.
Any data stolen is considered a compromise of data and
considered an incident but since the data that was stolen is
personal to that user, that person only has one face, one iris, and
only nine other fingers. Maybe all those fingers were scanned into
the system. At this point, biometrics is rendered worthless as
another form of authentication. A user cannot grow another finger
or modify their DNA footprint. As biometrics become widely
more adapted into devices and forms of authentication, this stands
to become an issue [5]. An example of a DNA database that could
lead to an incident and having this threat become a reality would
be Ancestry (Ancestry.com), where users send DNA to the
company where it is tested and analyzed to determine links
between other people and nationalities. This data is stored in a
database but also used to help tune algorithms and improve their
systems. A leak of information like this can lead to the
compromise of biometric-enabled systems.
Not only does the compromise of biometric data hurt forms of
authentication but the data that is stored could be used in other
ways. As more companies and organizations use biometrics as a
form of authentication, biometric data will become a target of
cybercriminals. Passwords have been the initial access vector
when stealing information. New forms of authentication will
replace old forms but with new forms of authentication comes
different threats with it. The danger of biometric is real today but
without a way to replicate or use biometric data in a way that is
useful to an attacker, there is no credible threat. Advances in
biological technology to recreate and use this data along with the
push of biometric data will eventually be a real threat. Beside
stealing biometric data to use to progress cyber security attacks,
biometrics could be used in ransom [9]. With biometric data lies
DNA. The research done on DNA could have an interesting
medical aspect to it. Analyzation of DNA could reveal
confidential records that otherwise should be kept private.
Attackers can leverage this data for ransom money. The future of
biometric technology has a lot of potential to become the most
secure way to authenticate but has a chance to become the next
big security breach.
Another common form of secondary authentication is SMS text
messaging. By linking a phone number to a service, the service
sends out a confirmation code to enter to perform a secondary
authentication. It is a good form of authentication in theory and
practice. A Subscriber Identification Module (SIM) Card is very
difficult to spoof. An attacker could send a message spoofing a
number but receiving information that was sent to the original
number is tough [4]. While this is a possibility, it is more common
for attackers to social engineer cellphone providers. By using
social engineering and impersonating customers, attackers have
been successful in resetting accounts and moving numbers to a
different SIM Card. In turn, an attacker can then bypass secondary
authentication by using the code sent to that phone number. In
recent years, cellphone providers have become more
knowledgeable about social engineering attempts and have put in
additional security steps to secure customers’ accounts [4]. Setting
a Personal Identification Number (PIN), password and proof of
driver’s license has made it more difficult to modify account
settings without proper authentication. This has made it much
more difficult for an attacker to social engineer cellphone
providers. In recent years, cybercriminals have found other ways
to use SMS tokens to bypass 2FA. Using phishing and social
engineering, cybercriminals have targeted Yahoo and Gmail email
accounts. By sending out phishing emails to people, users were
prompted to enter their credentials to log in. The webpage would
request to confirm their cell phone number, while the user
submitted their number, the webpage would make a request to
send out a confirmation code. The user would then enter the SMS
token to the phishing website. At this point, the attacker has the
user’s credentials, a way to bypass 2FA, and access to their email
account. The MFA is a good secure system but with anything, it
can be defeated by using basic attacks like phishing and social
engineering attacks.
Another common attack vector used for bypassing MFA is brute- authentication systems. IBM Systems Journal, 40(3), 614-634.
forcing tokens. If an attacker is able to successfully authenticate https://doi.org/10.1147/sj.403.0614
with the first step, an attacker will try to authenticate using [6] Vegh, L. (2018). Cyber-physical systems security through
another form. Brute-forcing tokens can be a way to bypass the multi-factor authentication and data analytics. Proceedings of
authentication methods [10]. However, with additional security the 2018 IEEE International Conference on Industrial
methods put into place such as the number of tries and a time limit, Technology (ICIT), Lyon, France, 1369-1374. Piscataway, NJ:
has made this method unpopular. However, if secondary IEEE. https://doi.org/10.1109/ICIT.2018.8352379
authentication is set up poorly and allows for unlimited attempts [7] Mao, Z., Florêncio D., & Herley, C. (2011). Painless
at secondary authentication, the possibility for a brute-force to migration from passwords to two factor authentication.
occur is significantly higher. Companies are now releasing push to Proceedings of the 2011 IEEE International Workshop on
phone accept or reject authentication attempts. This goes back to Information Forensics and Security (IWIFS), Iguacu Falls,
logging of a failed secondary authentication attempt, but users can Brazil, 1-6. Piscataway, NJ: IEEE.
also be vigilant of signs of compromise. An uneducated user https://doi.org/10.1109/WIFS.2011.6123150
accepting the second form of authentication from a smartphone [8] Martinez-Diaz, M., Fierrez-Aguilar, J., Alonso-Fernandez, F.,
device would make it look like a legitimate authentication. Ortega-Garcia J., & Siguenza, J.A. (2006). Hill-climbing and
Logging and alarms built around this activity are rendered brute-force attacks on biometric systems: A case study in
worthless and a compromise of an organization’s resources could match-on-card fingerprint verification. Proceedings of the
occur. 40th Annual 2006 International Carnahan Conference on
Security Technology, Lexington, KY, 151-159. Piscataway, NJ:
4. CONCLUDING REMARKS IEEE. https://doi.org/10.1109/CCST.2006.313444
The protection of data is crucial to maintain critical operational [9] Goodman, M. (2015, February 24). Fingerprint and iris
information for a company. The use of additional resources like scanners seem secure, but they aren't hack-proof. SLATE.
MFA has been utilized to establish control over data. Passwords Retrieved from https://slate.com/
by themselves no longer provide the necessary security for critical [10] Amir, S. (2017, July 15). 4 Methods to Bypass two factor
infrastructure and data. Not only does Multi-Factor Authentication Authentication. Shahmeer Amir. Retrieved from
(MFA) add an additional step when authenticating users but also https://shahmeeramir.com/
adds another layer of assurance and security. Logging of MFA
attempts can be viewed and used in security analyst work. With
proper logging and alarming, a compromise of a user account can
be quickly handled. The combination of a password and another
form of authentication can provide an adequate layer of security.
A combination of MFA solutions can strengthen the security of a
company or organization. Biometric technology is the front runner
in the advancement of MFA. The development and research of
biometric are being integrated into many platforms and stands to
be the easiest way to authenticate. Biometric data is difficult to
replicate and unique to each user. However, with the advancement
in DNA research, there stands to be data exposure of biometric
data that can be used to further escalate into security attacks or the
ransom of DNA information. As security becomes higher priority
and systems are strengthened with security in mind, social
engineering attempts will become more widely used. Passwords
are no longer the best secure method. While MFA is not full proof,
it does add an additional layer of security that can stop access to
confidential data.

5. REFERENCES
[1] Brodkin, J. (2013, May 23). Kim Dotcom claims he invented
two-factor authentication-but he wasn't first. Ars Technica.
Retrieved from https://arstechnica.com/
[2] Korolov, M. (2017, November 14). How hackers crack
passwords and why you can't stop them. Cyber Security
Online (CSO). Retrieved from https://www.cso.com.au/
[3] BARR Advisory (2018, June 11). Follow these NIST
guidelines to boost password security. BARR Advisory.
Retrieved from https://www.barradvisory.com/
[4] Fujii, H., & Tsuruoka, Y. (2013) SV-2FA: Two-factor user
authentication with SMS and voiceprint challenge response.
Proceedings of the 8th International Conference for Internet
Technology and Secured Transactions (ICITST-2013),
London, UK, 283-287. Piscataway, NJ: IEEE. https://doi.org/
10.1109/ICITST.2013.6750207
[5] Ratha, N. K., Connell, J. H., & Bolle, R. M. (2001).
Enhancing security and privacy in biometrics-based