“Aftershock” Attacks Up the Ante for Multifactor Authentication

Clango logo

Aftershocks, in geological terms, often occur in the vicinity of an earthquake; they can happen weeks, months, or even years after the original seismic event. Security experts warn that high-profile data breaches can also produce aftershocks, and multifactor authentication (MFA) is the best defense against these attacks.

Aftershock attacks occur when hackers use credentials obtained in previous data breaches to gain unauthorized access to user accounts. These hacking attempts are effective because users tend to reuse passwords. According to a report by TeleSign, 54 percent of consumers use five or fewer passwords for all their online accounts, and 22 percent use three or fewer.

In its fourth annual Data Breach Industry Forecast, Experian reported that credentials stolen in the 2014 Yahoo breach were sold on the dark web and later used in new attacks. Given that more than 500 million credentials were exposed in the Yahoo breach alone, Experian predicts that these aftershock attacks will continue for years to come.

MFA provides effective protection against aftershock attacks by reducing reliance on passwords as the primary means of verifying user credentials. MFA requires two or more verification factors, chosen from something the user knows (such as a password or PIN), something the user has (such as a security token or mobile app), and/or something the user is (a biometric identifier). A number of government and industry regulations already require two-factor authentication for privileged accounts and remote access to sensitive data. However, there is growing support for authentication mechanisms that require all three factors.

Traditionally, security tokens have been the most widely used second-factor authentication method. Smart-card-based USB tokens must be plugged into a USB port, while contactless tokens may use radio frequency identification (RFID), Bluetooth Low Energy, or near field communication (NFC) protocols to transmit authentication data. More common are so-called “disconnected tokens,” which display a PIN that the user must enter manually.

Security tokens have not seen widespread adoption due to the expense. At $25 to $100 apiece, costs can quickly add up. There is also significant management overhead for IT departments, which must physically distribute tokens to new users and replace those that are lost or stolen. In addition, many security professionals question the value of security tokens, which can be vulnerable to malware and physical tampering.

Mobile apps that generate one-time passwords or PINs are increasingly popular because they leverage a user’s existing smartphone. There is no need to distribute and manage a hardware token, and the authentication data is not stored on the device or in a vendor’s database. Of course, smartphones are vulnerable to malware attacks, but experts say that’s an acceptable tradeoff for this convenient form of two-factor authentication.

Many smartphones have biometric capabilities that can support three-factor authentication. Fingerprint sensors are the most common, but there are also apps that enable voice and facial recognition using the front-facing camera and microphone built into most smartphones. Application Programming Interfaces (APIs) make it easy for developers to add biometric factors to their applications.

Though smartphones are making it easier to implement MFA, a lack of interoperable standards continues to hinder MFA adoption. In our next post, we’ll look at the efforts of the FIDO (Fast Identity Online) Alliance to advance a standards-based open protocol for online authentication.


For more information on Aftershock Attacks or MFA, please reach out to us via email at (

Leave a Comment