Stop Hackers in Their Tracks: MFA & Passkeys Explained 🔐

Shannon Morse

23 Nov 202520:01

Summary

TLDRShannon Morris breaks down multifactor authentication (MFA) and passkeys, showing how they protect accounts even if passwords are stolen. She explains MFA vs. 2FA, compares methods—SMS (weak), authenticator apps, push prompts, and hardware security keys (strongest)—and highlights passkeys as the future, using device-bound cryptography to replace passwords. Drawing on Ubico research and real-world attacks (SIM swapping, phishing, and AI-crafted lures), she urges enabling MFA on email, social, banking, and password managers, keeping backup codes and a second key, and choosing hardware keys or passkeys where possible for the best protection.

Takeaways

😀 Passwords alone are no longer enough to protect your online accounts; multi-factor authentication (MFA) adds another layer of security.
😀 62% of companies still rely primarily on usernames and passwords, despite these being vulnerable to breaches and phishing attacks.
😀 Multi-factor authentication (MFA) can involve something you know (password), something you have (phone or hardware key), or something you are (biometrics).
😀 SMS codes are the least secure MFA option because they are vulnerable to SIM swapping attacks. Avoid using them if possible.
😀 Authenticator apps (e.g., Ubico Authenticator) generate time-based codes, which are stronger than SMS but can still be vulnerable if someone gains access to your phone.
😀 Push prompts, which ask you to approve or deny login attempts, are convenient but vulnerable to MFA fatigue attacks, where hackers repeatedly send prompts to wear you down.
😀 Hardware keys (e.g., Ubico's UbiKey) are the most secure MFA method as they are resistant to phishing attacks and require physical possession to authenticate.
😀 While not all websites support hardware keys, they provide the best defense against modern phishing threats and should be prioritized for critical accounts.
😀 Passkeys, which replace passwords entirely, offer a more secure and convenient option for logging in, using device-bound public key cryptography.
😀 Always back up your MFA methods by keeping backup codes in a secure location or registering a second hardware key to ensure you don’t get locked out of your accounts.

Q & A

What is multifactor authentication (MFA)?
-MFA is a security method that requires two or more layers of verification to access an account. These layers can include something you know (password), something you have (phone or hardware key), something you are (biometric data like fingerprint or face ID), or even your location.
How does MFA enhance online security?
-MFA adds extra layers of security, making it significantly harder for attackers to access accounts even if they have stolen your password. The additional factors—like a code from an app, a physical security key, or biometric data—ensure that only the rightful user can log in.
What is the difference between MFA and 2FA?
-MFA refers to using two or more authentication factors, while 2FA specifically refers to exactly two factors. MFA is a broader term, and 2FA is one type of MFA.
Why are SMS text messages considered a weak MFA method?
-SMS is vulnerable to attacks like SIM swapping, where an attacker tricks your phone carrier into transferring your phone number to their device. This allows them to intercept your verification codes, making SMS a less secure MFA option.
What are authenticator apps, and how do they work?
-Authenticator apps like Ubico Authenticator generate time-based codes that change every 30 seconds. These apps are more secure than SMS and do not rely on your phone number, though they can still be compromised if someone gains access to your phone.
How do push notifications for MFA work, and what are their risks?
-Push notifications are alerts sent to your phone asking you to confirm a login attempt. While convenient, they can be susceptible to MFA fatigue attacks, where attackers repeatedly send prompts until the user approves one out of annoyance.
What are hardware keys, and why are they considered the gold standard in MFA?
-Hardware keys, like the UB key, are physical devices that provide phishing-resistant authentication. They require you to physically plug in or tap the key to verify your identity, making them the most secure MFA option.
How do pass keys differ from traditional passwords and MFA methods?
-Pass keys replace passwords entirely. They use public key cryptography to authenticate users without transmitting passwords, making them more secure than traditional methods. Authentication is done using biometrics or a PIN, with the credentials stored locally on your device.
What should I do if I lose access to my MFA device, like my phone or hardware key?
-Many services provide backup codes when you set up MFA. Store these codes safely, and consider registering a second hardware key as a backup. If you're using an app for MFA, ensure that you back up your codes before switching devices.
Why is it important to enable MFA on my most important accounts?
-Enabling MFA on key accounts—like email, social media, banking, and password managers—adds an extra layer of protection. These accounts are often the gateway to other services, so securing them with MFA prevents unauthorized access to your personal information.