Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to confirm their identity before they can access a network, asset, or application. MFA verification factors consist of something the user has, something the user knows, something the user is, and where the user is. Requiring two or more of these factors increases the difficulty of impersonating an authorized user or gaining access to a protected location, device, network, or application.
Why is MFA needed?
According to the 2020 Verizon Data Breach Investigations Report (DBIR), 80% of hacking-related [1]At a high level, Hacking can be viewed as falling into three distinct groups: 1) those utilizing stolen or brute-forced credentials; 2) those exploiting vulnerabilities; and 3) attacks using … Continue reading breaches studied involved Brute force or the use of lost or stolen credentials.
Authentication by usernames and passwords alone has long been exploited by attackers. Users tend to use passwords that are easy to remember, which can lead to passwords that are easy for an attacker or unauthorized user to guess. Password reuse is also an issue, since once a password is compromised by social engineering, hacking, phishing, or malware, an attacker can use it to access any asset it’s valid for. Multi-factor Authentication can be effective because it raises the barrier of entry for the attacker, they now need additional credentials they are unlikely to have.
Types of Multi Factor Authentication Methods
There are 4 types of credentials used for MFA: Possession, Knowledge, Inherent, and Location.
Possession: Something you have
- A One-Time Password (OTP) that is generated by a smartphone application or other device.
- A Security Token such as a Smart card, USB device, proximity\RFID card, or keyfob
- Software tokens or certificates
Knowledge: Something you know
- Passwords
- Personal Identification Numbers (PIN), Transaction Identification Numbers (TAN)
- Security Questions
Inherent: Something you are
- Biometrics (fingerprint, eye iris, voice, facial recognition, typing speed and patterns)
Location: Somewhere you are
- GPS Coordinates
- Network parameters\network metadata
- Device recognition
- Historical\contextual data
Common MFA Implementations
The most commonly encountered form of MFA is Two-Factor Authentication, or 2FA. As its name suggests, it uses two factors to confirm the identity of the user. These can be any of the 4 factors, but the most common are knowledge and possession, using the combination of the users password and an OTP. This OTP is supplied from a Physical Token, a Time Based Application on a smartphone, and in some legacy systems as an Email/SMS Token[2]Note That Email\SMS as a 2nd Factor is better than not using MFA at all, other forms of MFA are more secure and preferred – NIST Restricted Authenticators, NIST OOBA Considerations.
Should you use MFA?
In all cases where MFA can be implemented, we strongly recommend doing so. Password authentication alone can be easily bypassed by social engineering, phishing, brute force, or by simply guessing weak passwords. Many websites and cloud services now offer an MFA option that can be enabled on user accounts, and there are several MFA authentication options to secure devices and networks as well.
If you are interested in implementing an MFA solution for your business or organization, contact us today and let’s start a discussion.
References
| ↑1 | At a high level, Hacking can be viewed as falling into three distinct groups: 1) those utilizing stolen or brute-forced credentials; 2) those exploiting vulnerabilities; and 3) attacks using backdoors and Command and Control (C2) functionality. – 2020 Verizon DBIR |
|---|---|
| ↑2 | Note That Email\SMS as a 2nd Factor is better than not using MFA at all, other forms of MFA are more secure and preferred – NIST Restricted Authenticators, NIST OOBA Considerations |
