The Multi-Factor Authentication

The Multi-Factor Authentication

What is Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is a method of logon verification where at least two different factors of proof are required. MFA is also referred to as 2FA, which stands for two-factor authentication. MFA helps keep protect your data (email, financial accounts, health records, etc.) or assets by adding an extra layer of security.

What Are The Types of Multi-Factor Authentication

There are generally three recognized types of authentication factors:

1. Knowledge: Something you know

Includes passwords, PINs, combinations, code words, or secret handshakes. Anything that you can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.

2. Possession: Something you have

Includes all items that are physical objects, such as keys, smart phones, smart cards, USB drives, and token devices. (A token device produces a time-based PIN or can compute a response from a challenge number issued by the server.).

3. Inherence: Something you are

Includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.

MFA Examples

There are many different methods for verification within the four categories above, but here are the most common methods that the average user will encounter in their digital life.

1. Time-Based One-Time Password (TOTP)

A TOTP is a code, usually a 6-digit number, that is only valid for a short period of time – often thirty to sixty seconds. With this method, the user can use a password manager that stores TOTP codes or download an authenticator app to store and access these codes. After entering their password to log in to an account, the user will be prompted to enter the code to verify their identity.

This is one of the most secure forms of MFA because the codes are protected and difficult to intercept. The only way a cybercriminal can steal the code is by compromising the device on which the code is generated, by stealing it or infecting it with malware.

2. SMS text message token

This method requires the user to enter their phone number when they create an account. When the user logs in with their credentials, they will be asked to enter a code sent by SMS text to their phone. With the code, they can then log in.

This is one of the less secure methods of MFA because phone numbers for individuals are usually easy to find online. If a cybercriminal has the user’s phone number, they can use a technique called SIM swapping to intercept their SMS texts.

The advantage is that it’s a convenient method and doesn’t require the user to download a new app. Some accounts offer SMS text tokens as the only MFA method. It’s better than no MFA at all, so if it’s the only option you should still use it.

3. Email token

Email tokens are similar to SMS tokens, but they use your email address to deliver the code. Similarly, the risk of email tokens is that a cybercriminal could hack your email account in order to get access to the code. If you use this method, be sure to secure your email account with a unique, complex password in order to protect it.

4. Hardware security key

A hardware security key is a physical token. After connecting it to your accounts, you should keep it in a secure location where you won’t lose it. When you log in to your account, you will usually insert the key into a USB port or tap it on your device. Your device will sense the key and validate your identity.

This is one of the most secure methods of authentication because it’s impossible for a cybercriminal to steal it over the internet. The only way this method could be compromised is if the physical key was stolen.

5. Biometric authentication

Biometric authentication validates your identity via facial recognition, fingerprint scan or iris scan. When first setting up biometric authentication, the user will register their fingerprint or facial scan with the device. Then the system will compare future scans to the first one to verify your identity.

Because everyone has a unique fingerprint and face, this can be quite secure. Fingerprints and facial recognition are already used widely on personal devices for login identification. It’s also often used as an MFA method for apps, commonly for banking or other apps with sensitive data. Biometrics are usually stored locally on the device to protect them.

The disadvantage of biometric authentication is if the user’s biometric information is leaked, it’s impossible to reset it like you would reset a password. If someone’s fingerprint is ever compromised, they should never use fingerprint scans as a method of authentication again. This is why it’s typically used as a second factor, or used as a convenient bypass to a code login (such as on your phone), and not as a primary identification factor.

6. Security questions

Security questions are often used to verbally confirm your identity, such as on the phone with your bank, but they are used digitally as well. If you choose to use security questions, be sure that the answer is truly confidential. It’s all too common for people to choose security questions that are easy to guess by looking up their online digital footprint. For example the answer to a question like “What is your dog’s name?” could easily be found on a user’s social media accounts. A common technique to prevent cybercriminals from finding the answer is providing fake answers that no one could ever guess. Just be sure to remember your fake answers!

7. Risk-based authentication

Risk-based authentication, or adaptive authentication, is the practice of changing the authentication required for access based on the level of risk. Risk-based authentication accounts for the human element. If users have to use multiple methods of authentication for every login, they can become frustrated. That may lead them to disable the MFA which leaves their account less protected.

With risk-based authentication, for example, an account may not require MFA when the user logs in on their work device, but would prompt the user for MFA when logging in on a different device. This means the user will get prompted for MFA less often, but a cybercriminal trying to hack into the account from their own computer would still get prompted for MFA.

How it works

By combining two or three factors from these three categories, a multi-factor authentication is crafted. Multi-factor authentication is preferred, as it is much more difficult for an intruder to overcome. With just a password, an attacker only has to have a single attack skill and wage a single successful attack to impersonate the victim. With multi-factor authentication, the attack must have multiple attack skills and wage multiple successful attacks simultaneously in order to impersonate the victim. This is extremely difficult and, thus, a more resilient logon solution.

© 2024 - Sofiane Hamlaooui - Making the world a better place 🌎