Paul Truitt was recently talking to customer service at the national bank he uses when an interaction gave him pause: The representative asked for the multifactor token on his phone to authenticate him. The token — a number — was in a text that instructed him not to share the number.
“They need me to tell them the thing that … tells me not to ever give it anyone and that the bank would never ask for,” says Truitt, a partner and national practice leader for IT risk and compliance at Forvis Mazars.
Truitt was encountering one of the vulnerabilities of multifactor authentication.
MFA protocols do work, but Truitt’s situation shows that enterprises and consumers routinely make trade-offs between security and convenience. Financial institutions need to be aware of how various security practices can be compromised and constantly assess how to strengthen the credentials and authentication protocols to secure their systems while allowing relatively easy access.
Ninety-four percent of respondents to Bank Director’s 2024 Technology Survey say their institution has either two-factor or multifactor authentication protocols in place to prevent fraud. That reflects its adoption as an increasingly default and expected practice, says Lisa Sotto, a partner and chair of the global privacy and cybersecurity practice at Hunton Andrews Kurth.
“It’s not even a question of whether you should be using multifactor authentication,” she says. “We think now about what kind of multifactor [to use, since] some are more secure than others.”
Multifactor authentication is a security approach that requires a user to provide more than one form of verification before being granted access to a system. The National Institute of Standards and Technology lists three factors as the cornerstones for authentication: something you know, something you have and something you are. Different examples of these could include a password, a device and a biometric element, respectively.
“The strength of authentication systems is largely determined by the number of factors incorporated by the system — the more factors employed, the more robust the authentication system,” NIST wrote in a special publication on digital identity guidelines.
But MFA isn’t a cure-all solution to making passwords more secure or authenticating users. Truitt knew a representative of his bank was asking for the code, but others could be tricked. A scammer trying to break into a customer’s account may learn that the customer is about to receive an MFA text and could call that customer from a phone number that looks like the bank’s number to persuade the customer to share the code. After Truitt’s call with his bank’s customer service, he wrote a letter to the chief information security officer, whom he knows, sharing that the institution’s customer service department is asking for the authentication number that the bank sends to customers.
“We need to get better consistency around how factors of authentication are being used,” he says. “The challenge is anytime you’ve got a number — whether it’s a text message that gives you a number or [from an authenticator app] — someone could read it off. That’s the challenge.”
That’s just one challenge that MFA can present in the ever-constant fight to secure a financial institution’s systems from hackers and keep customers safe.
Disable “Yes, This Is Me”
One particularly vulnerable MFA approach that Truitt sees “pretty consistently,” including in multiple data breaches that Forvis Mazars has responded to, is an authenticator app or service that provides users with a pop-up prompt that says “Yes, this is me.” That approach allows users to just hit a button instead of typing in the code the app generates.
“It’s too easy and we see it in data breaches nonstop,” he says. “The first thing I ask organizations to do is to turn it off.”
Sotto seconds this as an especially weak form of authentication because it is vulnerable to “MFA bombing.” Phone users may receive multiple alerts to authenticate themselves — potentially when they’re distracted by something else on the screen — and hit “yes, this is me” without considering the source of the authentication alert. The user has approved the alert without knowing what it is for.
Consider Passkeys
Passkeys are a mechanism that companies can use to authenticate users or employees via their devices, says Sean Goodwin, a principal at DenSecure by Wolf & Co. Passkeys authenticate devices, machine-to-machine, while the user’s device authenticates the user.
“You’re authenticating to your phone, and then your phone can authenticate you to the website you’re going to,” he says.
Passkeys work by leveraging public key cryptography, and a company has to support and offer passkey authentication for a user to enable it. A cursory search of the FIDO (Fast Identity Online) directory, which is an industry-agnostic cryptography standard, reveals that Bank of America Corp., Citigroup and PNC Financial Services Group are among companies that currently offer passkeys in some capacity.
One benefit of offering customers passkeys is that they can prevent some social-engineering scams or attacks that use a fake web page, Goodwin says. In these attacks, a customer might be tricked into entering their username and password into a site that looks like their bank’s website. Passkeys are tied to specific web domains and wouldn’t recognize the impersonation site, halting this approach.
Risk-Rate Access, Including on the Cloud
Different roles and functions within a financial institution require varying levels of security and employee access. Executives need to risk-rate those roles and functions — and then make sure to reevaluate them as personnel or the technology environment changes.
“An organization needs to do an inventory of ‘What are the things that we’re accessing? How are we accessing them and what level of security do we need for each of those different tiers?’” Truitt says.
One person who needs highly privileged access may get a daily operational account with fewer permissions and access for less sensitive tasks, in addition to the administrative account, for example. Or a company can offer a physical security key that an employee needs to insert into their machine to authenticate themselves. Also, executives may want to consider a “zero trust” approach for access to certain systems, Sotto says.
“Zero trust means you trust no one and you trust nothing,” she says. “Each time a system reconnects to yours, you ask again for their credentials.” Zero trust means not assuming that the person accessing a system via connected integrations today was the same person yesterday; this can impede an attacker who has gained access to one machine but can’t move into another system because they can’t authenticate themselves.
One oversight Truitt encounters is vulnerabilities in a cloud environment configuration after a financial institution migrates from on-premises systems. These vulnerabilities can happen for several reasons, he says. Sometimes, a financial institution will assume the cloud provider will offer high security settings as a default, when really the default is lower but can be configured higher. Or, the institution’s staff will copy its on-premise security settings but not realize the cloud environment has additional areas that need to be addressed. Another vulnerability is when a service has been on the cloud for years without MFA being enabled, because it wasn’t a standard security practice when the migration occurred. Truitt says he still sees institutions allowing single-factor authentication for cloud-hosted email, which later plays into a breach.
“Are financial institutions going to be more secure if they enable technologies like [these] for any of their remote access? Yes,” Goodwin says. “It’s not the easiest adoption, but it certainly makes them more secure.”
Previous