Skip to main content

Multifactor Authentication


Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login or other transaction. Multifactor authentication combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.

The goal of MFA is to create a layered defense that makes it more difficult for an unauthorized person to access a target, such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the target.

In the past, MFA systems typically relied on two-factor authentication (2FA). Increasingly, vendors are using the label multifactor to describe any authentication scheme that requires two or more identity credentials to decrease the possibility of a cyber-attack. Multifactor authentication is a core component of an identity and access management framework.

Why is multifactor authentication important?

One of the biggest shortcomings of traditional user ID and password logins is that passwords can be easily compromised, potentially costing organizations millions of dollars. Brute-force attacks are also a real threat, as bad actors can use automated password cracking tools to guess various combinations of usernames and passwords until they find the right sequence. Although locking an account after a certain number of incorrect login attempts can help protect an organization, hackers have numerous other methods for system access. This is why multifactor authentication is so important, as it can help reduce security risks.

MFA authentication methods

An authentication factor is a category of credential used for identity verification. For MFA, each additional factor is intended to increase the assurance that an entity involved in some kind of communication or requesting access to a system is who -- or what -- it says it is. The use of multiple forms of authentication can help make a hacker's job more difficult.

The three most common categories, or authentication factors, are often described as something you know, or the knowledge factor; something you have, or the possession factor; and something you are, or the inherence factor. MFA works by combining two or more factors from these categories.

Knowledge factor. Knowledge-based authentication typically requires the user to answer a personal security question. Knowledge factor technologies generally include passwords, four-digit personal identification numbers (PINs) and one-time passwords (OTPs). Typical user scenarios include the following:

  • swiping a debit card and entering a PIN at the grocery checkout;
  • downloading a virtual private network client with a valid digital certificate and logging in to the VPN before gaining access to a network; and
  • providing information, such as mother's maiden name or previous address, to gain system access.

Possession factor. Users must have something specific in their possession in order to log in, such as a badge, token, key fob or phone subscriber identity module (SIM) card. For mobile authentication, a smartphone often provides the possession factor in conjunction with an OTP app.

Possession factor technologies include the following:

  • Security tokens are small hardware devices that store a user's personal information and are used to authenticate that person's identity electronically. The device may be a smart card, an embedded chip in an object, such as a Universal Serial Bus (USB) drive, or a wireless tag.
  • A software-based security token application generates a single-use login PIN. Soft tokens are often used for mobile multifactor authentication, in which the device itself -- such as a smartphone -- provides the possession factor authentication.

Typical possession factor user scenarios include the following:

  • mobile authentication, where users receive a code via their smartphone to gain or grant access -- variations include text messages and phone calls sent to a user as an out-of-band method, smartphone OTP apps, SIM cards and smart cards with stored authentication data; and
  • attaching a USB hardware token to a desktop that generates an OTP and using it to log in to a VPN client.

Inherence factor. Any biological traits the user has that are confirmed for login. Inherence factor technologies include the following biometric verification methods:

  • retina or iris scan
  • fingerprint scan
  • voice authentication
  • hand geometry
  • digital signature scanners
  • facial recognition
  • earlobe geometry

Biometric device components include a reader, a database and software to convert the scanned biometric data into a standardized digital format and to compare match points of the observed data with stored data.

Typical inherence factor scenarios include the following:

  • using a fingerprint or facial recognition to access a smartphone;
  • providing a digital signature at a retail checkout; and
  • identifying a criminal using earlobe geometry.

User location is often suggested as a fourth factor for authentication. Again, the ubiquity of smartphones can help ease the authentication burden: Users typically carry their phones, and all basic smartphones have Global Positioning System tracking, providing credible confirmation of the login location.

Time-based authentication is also used to prove a person's identity by detecting presence at a specific time of day and granting access to a certain system or location. For example, bank customers cannot physically use their ATM card in the U.S. and then in Russia 15 minutes later. These types of logical locks can be used to help prevent many cases of online bank fraud.

Pros and cons of MFA

Multifactor authentication was introduced to harden security access to systems and applications through hardware and software. The goal was to authenticate the identity of users and to assure the integrity of their digital transactions. The downside to MFA is that users often forget the answers to the personal questions that verify their identity, and some users share personal ID tokens and passwords. MFA has other benefits and disadvantages.

Pros

  • adds layers of security at the hardware, software and personal ID levels;
  • can use OTPs sent to phones that are randomly generated in real time and is difficult for hackers to break;
  • can reduce security breaches by up to 99.9% over passwords alone;
  • can be easily set up by users;
  • enables businesses to opt to restrict access for time of day or location; and
  • has scalable cost, as there are expensive and highly sophisticated MFA tools but also more affordable ones for small businesses.

Cons

  • a phone is needed to get a text message code;
  • hardware tokens can get lost or stolen;
  • phones can get lost or stolen;
  • the biometric data calculated by MFA algorithms for personal IDs, such as thumbprints, are not always accurate and can create false positives or negatives;
  • MFA verification can fail if there is a network or internet outage; and
  • MFA techniques must constantly be upgraded to protect against criminals who work incessantly to break them.

Multifactor authentication vs. two-factor authentication

When authentication strategies were first introduced, the intent was to enforce security but to also keep it as simple as possible. Users were asked to supply only two forms of security keys that would inform a system that they were authentic and authorized users. Common forms of 2FA were user ID and password or automated teller machine (ATM) bank card and PIN.

Unfortunately, hackers quickly discovered ways to buy or break passwords or to skim debit cards at ATMs. This prompted companies and security vendors to look for more hardened forms of user authentication that used additional security factors for verification.

Making MFA easier

Adding security factors to MFA further complicates ease of use for users who must remember multiple passwords. Consequently, the goal of MFA is to simplify MFA techniques for users. Here are three approaches being used to simplify MFA:

  1. Adaptive MFA. This applies knowledge, business rules or policies to user-based factors, such as device or location. For example, a corporate VPN knows that it is OK for a user to sign on from home because it sees the user's location and can determine the risk of misuse or compromise. But an employee who accesses the VPN from a coffee shop will trigger the system and be required to enter MFA credentials.
  2. Single sign-on (SSO). This one-stop authentication method enables users to maintain one account that automatically logs them in to multiple applications or websites with a single ID and password. SSO works by establishing the user's identity and then sharing this information with each application or system that requires it.
  3. Push authentication. This is an automated mobile device authentication technique where the security system automatically issues a third, single-use identification code to the user's mobile device. For example, users who want to access a secured system enter their user ID and password and a security system automatically issues a third, single-use identification code to their mobile device. Users enter that code into the system to gain access. Push authentication simplifies MFA by providing users with a third code, eliminating the need to remember it.

Comments

Post a Comment

Popular posts from this blog

Understanding the Evolution: AI, ML, Deep Learning, and Gen AI

In the ever-evolving landscape of artificial intelligence (AI) and machine learning (ML), one of the most intriguing advancements is the emergence of General AI (Gen AI). To grasp its significance, it's essential to first distinguish between these interconnected but distinct technologies. AI, ML, and Deep Learning: The Building Blocks Artificial Intelligence refers to the simulation of human intelligence in machines that are programmed to think like humans and mimic their actions. Machine Learning, a subset of AI, empowers machines to learn from data and improve over time without explicit programming. Deep Learning, a specialized subset of ML, involves neural networks with many layers (hence "deep"), capable of learning intricate patterns from vast amounts of data. Enter General AI (Gen AI): Unraveling the Next Frontier Unlike traditional AI systems that excel in specific tasks (narrow AI), General AI aims to replicate human cognitive abilities across various domains. I...
Post a Comment
Read more

Normalization of Database

Database Normalisation is a technique of organizing the data in the database. Normalization is a systematic approach of decomposing tables to eliminate data redundancy and undesirable characteristics like Insertion, Update and Deletion Anamolies. It is a multi-step process that puts data into tabular form by removing duplicated data from the relation tables. Normalization is used for mainly two purpose, Eliminating reduntant(useless) data. Ensuring data dependencies make sense i.e data is logically stored. Problem Without Normalization Without Normalization, it becomes difficult to handle and update the database, without facing data loss. Insertion, Updation and Deletion Anamolies are very frequent if Database is not Normalized. To understand these anomalies let us take an example of  Student  table. S_id S_Name S_Address Subject_opted 401 Adam Noida Bio 402 Alex Panipat Maths 403 Stuart Jammu Maths 404 Adam Noida Physics Updation Anamoly :  To upda...
Post a Comment
Read more

How to deal with a toxic working environment

Handling a toxic working environment can be challenging, but there are steps you can take to address the situation and improve your experience at work: Recognize the Signs : Identify the specific behaviors or situations that contribute to the toxicity in your workplace. This could include bullying, harassment, micromanagement, negativity, or lack of support from management. Maintain Boundaries : Set boundaries to protect your mental and emotional well-being. This may involve limiting interactions with toxic individuals, avoiding gossip or negative conversations, and prioritizing self-care outside of work. Seek Support : Reach out to trusted colleagues, friends, or family members for support and advice. Sharing your experiences with others can help you feel less isolated and provide perspective on the situation. Document Incidents : Keep a record of any incidents or behaviors that contribute to the toxic environment, including dates, times, and specific details. This documentation may b...
Post a Comment
Read more