Why is MFA Important?
When MFA is implemented, it makes it more difficult for a hacker to gain access to business premises and information systems such as remote access, email, billing systems, even if passwords or pins have been compromised.
Password cracking techniques are becoming more sophisticated and high-powered commuting is increasingly affordable. Hackers have the ability to harvest credentials through phishing emails or by identifying passwords reused from other systems. Multi-factor authentication adds that extra layer of security for maximum protection.
How Does MFA Work?
MFA requires users to present two or more authentication factors at login to verify their identity before they are granted access. Each additional authentication factor a user has adds to the login process increases security.
A typical MFA login requires the user to present some sort of combination of the following:
- Something you know – a password or PIN number
- Something you have – a hardware token, or smart card
- Something you are – iris scan or voice recognition
You might want to consider enforcing MFA on Internet-facing systems such as email, remote desktop, and Virtual Private Networks (VPNs).
MFA Authentication Methods
The most common authentication factors are described as something we know (knowledge factor), something we have (possession factor), or something we are (inheritance factor). MFA works by combining two or more factors from these categories.
Knowledge factor
Knowledge based authentication requires the user to answer a personal security question. Knowledge factor technologies include passwords, four-digit personal identification numbers (PINs) and one-time passwords (OTPs).
Typical user scenarios include the following:
- swiping a debit card and entering a PIN at the grocery checkout;
- downloading a virtual private network client with a valid digital certificate and logging in to the VPN before gaining access to a network; and
- providing information, such as mother’s maiden name or previous address, to gain system access.
Possession factor
Users must have something specific in their possession in order to log in. This could be a hardware token, security key, a key fob, or even a SIM Card. In terms of mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP app.
- Possession factor authentication includes the following:
Security tokens are small hardware devices that store a user’s personal information and are used to authenticate that person’s identity electronically. The device may be a hardware token, a SIM card, or a USB.
- A software-based security token application generates a single-use login PIN. Soft tokens are often used for mobile multi-factor authentication, in which the device itself such as a smartphone, provides the possession factor authentication.
Typical possession factor user scenarios include the following:
- Mobile authentication – where users receive a code via their smartphone to gain or grant access
- Variations include SMS text messages and phone calls sent to a user as an out-of-band method, smartphone OTP apps, SIM cards and smart cards with stored authentication data;
- Attaching a USB hardware token to a desktop that generates an OTP and using it to log in to a VPN client.
Inherence factor
Any biological traits the user has are confirmed for login. Inherence factor technologies include the following Biometric verification methods:
- retina or iris scan
- fingerprint scan
- voice authentication
- hand geometry
- digital signature scanners
- facial recognition
- earlobe geometry
Biometric device components include a reader, a database and software to convert the scanned biometric data into a standardized digital format and to compare match points of the observed data with stored data.
Typical inherence factor scenarios include the following:
- using a fingerprint or facial recognition to access a smartphone;
- providing a digital signature at a retail checkout; and
- identifying a criminal using earlobe geometry.
Pros and Cons of MFA
Multi-factor authentication is used to harden the security access to systems and applications through a special type of software. The goal of MFA is to authenticate the identity of users and to assure the integrity of their digital transactions. One of the downsides to MFA is that users tend to forget the answers to the personal security questions to verify their identity and some users tend to share personal ID tokens or passwords.
Here are some pros and cons to MFA for you to consider:
Pros
- Adds layers of security at the hardware, software and personal ID levels;
- Can use OTPs sent to phones that are randomly generated in real time and is difficult for hackers to break;
- Can reduce security breaches by up to 99.9% over passwords alone;
- Can be easily set up by users; enables businesses to opt to restrict access for time of day or location;
- And has scalable cost, as there are expensive and highly sophisticated MFA tools but also more affordable ones for small businesses.
Cons
- A phone is needed to get a text message code;
- Hardware tokens can get lost or stolen;
- Phones can get lost or stolen;
- The biometric data calculated by MFA algorithms for personal IDs, such as thumbprints, are not always accurate and can create false positives or negatives;
- MFA verification can fail if there is a network or internet outage; and
- MFA techniques must constantly be upgraded to protect against criminals who work incessantly to break them.
Multi-Factor authentication vs. Two-Factor Authentication
When authentication strategies were first introduced, the ultimate intent was to enforce security in the most simple way possible. Users were simply asked to provide only two forms of security identification keys that would then inform the system that they were who they said they were.
Nowadays, because there are more data breaches occurring, and lots of companies hosting remote workers, there needs to be more than just 2FA implemented. Two-factor authentication, while a strong form of authentication, can still be bypassed. For example, common forms of 2FA are user ID and password, ATM’s, and bank card and PIN. While yes, these are secure, the combinations of username and passwords and ATM PINs can easily be tracked and stolen.
MFA on the other hand, is the stronger form of authentication simply because there is an extra layer of protection that 2FA doesn’t have. Hackers have quickly discovered ways to break or buy passwords, or even skim credit cards at ATMs. This prompted many companies and security vendors to look for a more hardened form of authentication that used an additional authentication method.
Addressing the challenges of multifactor authentication
As with anything, MFA does have its challenges. By adding security factors to MFA, it further complicates ease of use for users who must remember multiple passwords. The goal of MFA is to simplify MFA techniques for users.
Here are three approaches being used to simplify MFA:
Adaptive MFA
This applies knowledge, business rules or policies to user-based factors, such as device or location. For example, if a user was working remotely from their house, the corporate VPN knows that it is OK for the user to sign on from home because it sees the location and can determine the risk of misuse or compromise. But a user who accesses the VPN from a coffee shop will trigger the system and be required to enter MFA credentials.
Single sign-on (SSO)
This one-stop authentication method enables users to maintain one account that automatically logs them in to multiple applications or websites with a single ID and password. Single-sign-on works by establishing the user’s identity and then sharing this information with each application or system that requires it.
Push authentication
This is a mobile device authentication technique where the security system automatically issues a third, single-use identification code to the user’s mobile device. For example, users who want to access a secured system enter their user ID and password and a security system automatically issues a third, single-use identification code to their mobile device. Users enter that code into the system to gain access. Push authentication simplifies MFA by providing users with a third code, eliminating the need to remember it.
