Multi-factor authentication, or MFA, is a method of account access security that requires users to verify their identity in two or more ways to be able to sign in. This is much more secure than the traditional sign-on approach that only requires one method of authentication – usually a password.
LastPass’s SMB Guide to Modern Identity found that, on average, employees manage over 100 separate corporate accounts. Because of this, a lot of people tend to be guilty of using the same password for multiple accounts, or using a weak or memorable phrase to make it easier to keep on top of. Recent studies have consistently found “password”, “qwerty” and “123456” to be amongst the most common passwords, with sports, names and foods also being popular choices. Unfortunately, this means that hackers can easily gain access to an account, either by trying common passwords or doing a little digging into the user’s background to make a more educated guess, or through carrying out more sophisticated phishing attacks. In these attacks, the bad actor send an email posing as a trustworthy source to trick the user into giving away sensitive or confidential information. Once they’ve cracked the password, the hacker can access critical company data and use this to carry out further malicious exploits, such as business email compromise (BEC) attacks, or spreading malware.
MFA eliminates this risk by asking the user for further proof of identity. This means that even if a hacker discovers a user’s password, they won’t be able to get into the account because the it’s protected by a second layer of security. There are three main methods of verification used in MFA after a user has entered their login credentials. These involve something the user knows, something they have, or something they are.
In this article, we’ll cover these three verification methods in more detail, exploring how they work and giving examples for each.
Something You Know
The first factor of authentication is called knowledge-based authentication (KBA), and involves something the user knows. This could be a second password, a PIN, or the answer to a security question. Security questions and their static answers are usually set up when the user creates the account. They’re also often used as a means of account recovery, to verify a user’s identity if they’ve forgotten their password.
Dynamic KBA is more secure than static KBA. In this authentication method, the security questions are generated in real-time and based on data records that are regularly updated, like credit transactions. This makes it more difficult for a hacker to find out the answer to the questions, as they’ll need access to the database that the questions are generated from. With static KBA, the hacker may only need to find out the name of the user’s pet.
Something You Have
The second method of authentication is via something that the user has. This could be an object such as a key or a smartcard, that lets the user into a physical location. However, for digital accounts, it usually involves a token that generates a one-time password (OTP). There are three types of token authentication that are the most commonly used, and each has its own strengths and weaknesses:
- SMS token authentication is when the organization sends a PIN number to a user via a text message. The user then enters the PIN as a OTP to gain access to their account. This is particularly useful for organizations whose employees often need to access their accounts from a cellphone, either because they work off-site or have to travel as a part of their role. However, it doesn’t only work for employees on the go – users can also receive SMS tokens to access accounts via a desktop. It’s easy to implement, but has the drawback that the user must have them phone on them for it to work. It’s also possible for hackers to use powerful cellphone tracking software to tap into a user’s phone and monitor that user’s mobile activity without them knowing. This includes having their text messages sent directly to the attacker.
- Email token authentication works similarly to SMS authentication, in that a PIN is sent to the user’s email address. This provides a slightly more secure layer of protection than SMS token authentication, because the user has to log in to their email account to access the OTP – although this does mean that it takes the use longer to access the account they’re trying to log in to. Email token authentication also means that organizations don’t have to rely on the employee having their phone on them; users can access the OTP from any device that can receive emails.
- Software token authentication requires the user to verify their identity via an app on a smartphone or tablet. When prompted for their OTP, the user opens the app, which gives them a time-restricted PIN to enter. Most authenticator apps generate a new PIN every minute, which means that it’s much harder for a hacker to retrieve this information than an SMS token. The only downfall of this authentication method is that it relies on the user having a smart device to install the app. Personal devices tend to have fewer security measures in place, so this introduces a risk to enterprise accounts should the device be lost, stolen or hacked. One way to get around this is to make sure that employees only access their accounts though corporate-issued devices, but this can be an expensive solution that not all businesses can afford. Another solution is to make sure that the organization has a record of every employee using a personal device to sign in to any corporate accounts (including messaging apps like Teams). Android and iOS smartphones include a work profile feature that separates personal and corporate apps. The organization manages the corporate-use apps, while the employee’s personal apps remain private. It also ensures that personal apps like WhatsApp can’t retrieve data from apps in the device’s work profile.
Something You Are
Last, but certainly not least, we have biometric authentication, which is based on something that the user is. This is the most secure authentication method, because it’s the most difficult type of data for a hacker to steal: finding out the names of someone’s relatives only takes a quick search of their social media profile, but you’d need to be a lot more savvy in your thievery to steal their fingerprints or a scan of their retina without them noticing!
For biometric authentication to work, the user needs to own a smart device or computer that allows for biometric scanning. This could be a fingerprint scanner, or voice or facial recognition capabilities. A lot of modern smart devices have these built in, like asking a user to scan their fingerprint to unlock the device or enter saved financial information for online shopping. This means that most users are already used to using this type of technology. Some, though, won’t be, so it’s important to make sure that your employees are comfortable with using their biometric data to sign in.
You also need to be aware of how your employees’ data is being stored and protected. Some smart devices only store biometric data in the device itself. This means that, if the personal device is stolen, a hacker could crack the biometric controls by guessing the device’s password and adding their own fingerprint to it. If your organization is issuing corporate devices to mitigate that risk, you need to be able to ensure complete security of your employees’ sensitive data to help reassure anyone that is wary of having it stored in a database (and potentially stolen).
Biometric authentication is quicker than having to wait for a code to be sent or generated and the user doesn’t have to remember any pesky passwords. However, as with software token authentication, this method requires the user to have an up-to-date smart device that either has the technology built in or the capability to download a biometric authenticator app.
Each of these multi-factor authentication methods have their own strengths, and some are better suited to certain industries than others. SMS token authentication, for example, works for just about any user and is easy to roll out across large numbers of users, but isn’t as secure as biometric authentication. Biometric authentication is the most secure, but it also requires the organization to have tighter security measures in place to protect its employees’ sensitive information. It’s important that you consider the security risks facing your organization, and use this information to help you decide the level of MFA needed to protect your network.
That might sound a little complicated, but worry not – we’ve put together a comparison of the best multi-factor authentication solutions on the market to help you get started.