There are many ways to improve your security with multi-factor authentication, but some kinds offer more protection from hacking and tracking.
This is an opinion editorial by Heidi Porter, an entrepreneur with 35 years in technology.
Hacks will continue to happen where your account is compromised or people are sent to a nefarious site and accidentally download malware instead of verified software.
This will be the first in a series of articles around more resilient user security for your accounts, nodes and apps. We’ll also cover better email options, better passwords and better use of a virtual private network (VPN).
The reality is that you’ll never be completely secure in any of your online financial transactions in any system. However, you can implement a more resilient toolset and best practices for stronger security.
When we log into an online account, we’re often aiming to thwart an attacker or hacker using extra layers of verification — or locks.
Compared to your own home, multiple locks give more security. If one form of authentication is good, such as a password, then two forms (aka MFA) can be better.
Note that if you ONLY use biometric authentication, that is single-factor authentication. It’s just the biometric of whatever modality you’re using: thumb, iris, face recognition, etc. If you use 1 hardware key without a passphrase, that is also single-factor authentication.
However, if a biometric or key is used as a 2nd factor, it can meet the goal of multifactor authentication and be more secure than many app-based MFA.
With MFA, you must use at least 2 of these 3 authentication mechanisms:
With MFA, you must have at least two authentication mechanisms.
If or when they eventually support MFA, at a minimum, you should have MFA set up for your:
Note: Each account or application needs to support the type of MFA that you are using and you must register the MFA with the account or application.
MFA providers often include less secure options such as:
MFA providers sometimes also include more secure options such as:
Guess what type of MFA most legacy financial institutions use? It’s usually one of the less secure MFA options. That said, authenticator apps and hardware keys for MFA are not all created equal.
First, let’s talk about the marketing of MFA. If your MFA provider touts itself as unhackable or 99% unhackable, they are spouting multi-factor B.S. and you should find another provider. All MFA is hackable. The goal is to have a less hackable, more phishing resistant, more resilient MFA.
Some MFA is more hackable.
Some MFA is more trackable.
Some MFA is more or less able to be backed up.
Some MFA is more or less accessible in some environments.
Multi-factor authentication is more securely accomplished with an authenticator app, smart card or hardware key, like a Yubikey.
So if you have an app-based or hardware MFA, you’re good, right? Well, no. Even if you are using app-based or hardware MFA, not all authenticator apps and hardware devices are created equal. Let’s look at some of the most popular authenticator apps and some of their vulnerabilities with tracking, hacking and backing up.
Just like many financial and data companies, Bitcoin companies have been the target of multiple data breaches where attackers have obtained email addresses and phone numbers of customers.
Even without these breaches, it’s not especially hard to find someone’s email addresses and phone numbers (as mentioned in previous articles, best practice is to use a separate email and phone number for your Bitcoin accounts).
With these emails, attackers can perform phishing attacks and intercept the login credentials: both password and multi-factor authentication you have used as a second authentication factor for any of your accounts.
Let’s take a look at a typical MITM phishing attack process:
As an aside, be sure you have MFA attached to withdrawals on a wallet or exchange. Convenience is the enemy of security.
Important Note: Although I have not looked into all of these for my personal use, I believe any Bitcoin builder or Bitcoin company SHOULD ask their third-party providers or integration providers to provide details about what kind of MFA provider they use and ensure that it is phishing-resistant.
There are two caveats for hardware keys:
Smart cards are another form of MFA with similar phishing resistance. We won’t get into the details here as they seem to be less likely to be used for Bitcoin or Lightning-related MFA.
Another consideration for multi-factor authentication is whether you would ever be in a situation where you need MFA and cannot use a cell phone or smartphone.
There are two big reasons this could happen for bitcoin users:
There can be other restrictions on cell phone use due to customer-facing work environments or personal preference. Call centers, K-12 schools or high-security environments like research and development labs are some areas where phones are restricted and you would therefore be unable to use your phone authenticator app.
In these special cases where you are using a computer and don’t have a smartphone, you would then need a smart card or hardware key for MFA. You would also need your application to support these hardware options.
Also, if you cannot use your cellphone at work, how are you supposed to stack sats in the restroom on your break?
MFA can be hacked and your accounts can be compromised. However, you can better protect yourself with more resilient and phishing-resistant MFA. You can also choose MFA that is not tied to your phone number and has an adequate back-up mechanism or ability to have a spare key.
Ongoing defense against cyber attacks is a continuing game of cat-and-mouse, or whack-a-mole. Your goal should be to become less hackable and less trackable.
This is a guest post by Heidi Porter. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc. or Bitcoin Magazine.