Multi-Factor Authentication Beyond Phones
Most multi-factor authentication systems rely on the user's phone as the channel for receiving a code, either via SMS or via an authenticator app. This makes phone compromise particularly destructive, especially if the phone also offers email access, the typical channel for password reset requests. A simple option for preventing a stolen phone from turning directly into an account breach is to use a separate hardware device for multi-factor authentication, such as a YubiKey. In addition to protecting against phone theft, this also protects against cyberattacks targeting phones, as a hardware authenticator is vastly harder to compromise remotely than a phone is.
If SMS is used as the two-factor authentication mechanism for your staff's accounts, an attacker may even be able to break your MFA through your phone without ever having direct access to it. This is done via SIM swapping, which is a very common way for attackers to target executives or other individuals. This involves two steps. First, an attacker uses open-source intelligence to gain information about the target (the feasibility of which our Open-Source Intelligence Assessment can assess). Secondly, once that information is obtained, the attacker contacts the target's mobile provider and impersonates the target, with the goal of persuading the mobile provider to switch which SIM card is associated with the target's mobile number - for example, by falsely reporting the target's phone as stolen. Once this has happened, all SMS messages and phone calls, including MFA codes, are sent to a phone owned by the attacker. Here, again, the simplest solution is to move the MFA off the phone entirely and to a physical device like a YubiKey. Shellhex does not conduct SIM swaps as part of our security testing - they're extremely illegal - but we can advise companies on how to harden their access control to be more secure from the danger of SIM swapping.