MFA (Multi-factor Authentication) is a method to ensure authorized access to a file or application. MFA requires the user to provide two or more verification factors to gain access to a resource. MFA should be a basic component of any security policy. MFA doesn’t limit attempted access to the use of a username and password. It also requires one or more additional verification factors, which decreases the likelihood of unauthorized use or cyberattack.
The primary benefit of MFA is it will improve an organization’s security by requiring users to identify themselves further than just a username and password. Usernames and passwords are crucial but can be vulnerable to brute force attacks and can always be stolen by a third party. Incorporating the use of an MFA factor such as a thumbprint, additional questions, or physical hardware key means increased confidence that your organization will stay safe from cybercriminals.
The Mechanics of MFA
The MFA process requires additional information (factors) that only the authorized user has. The most common addition that users meet is one-time passwords (OTP). These are usually 4-8 digit codes that users receive via email, SMS text, or some sort of mobile app. A new code is usually created each time an authentication request is submitted. The code is generated based upon a seed value that had been previously assigned to the user when they first registered plus another factor which may simply be a counter that is incremented or even just a time value.
Primary MFA Authentication Methods
The three most common additions for MFA:
- Things users know, such as a password or PIN
- Things users have, such as a badge or smartphone
- Things users are (state of being, such as a biometric like fingerprints or voice recognition)
Examples of MFA
One or more of the following methods can be used for MFA:
KNOWLEDGE
- The answers to personal security questions (e.g. Mother’s maiden name, father’s middle name)
- A strong password (8+ characters using upper & lower case letters, numbers, and symbols)
POSSESSION
- An OTP created by an app on a smartphone
- An OTP sent via text or email
- A company-supplied access badge, USB device, Smart Card, or fob.
- Software tokens and certificates
STATE OF BEING
- Facial Recognition, Iris or retina scanning, fingerprints, voice recognition
- Other Biometrics (Finger or hand geometry, body shape, heart rate)
- Behavior
MFA or Two-Factor Authentication (2FA)?
The two terms are often used interchangeably but two-factor authentication (2FA) is a part of MFA except that 2FA limits the number of factors required to only two factors, while MFA can be two or more. (Password, iris scan, and fingerprints)
More Complex Forms of Multi-Factor Authentication
As MFA integrates artificial intelligence (AI) and machine learning, MFA methods can be more complex including:
LOCATION
Location-based MFA can look at an attempted user’s IP address and sometimes even their physical location. This information can be used to block access if their location information does not match what is specified in a profile. The location also could be used as an additional form of authentication using other factors such as a password or OTP to confirm the user’s identity. An example of this would be when an attempted user tries to log in from a public WiFi such as a Cyber Café or library. Is this a usual or allowed procedure?
ADAPTIVE AUTHENTICATION
Adaptive Authentication looks at additional factors and considers both context and behavior uses these items to allow or block access. For example:
- Where is the user (home, car, public WiFi) when trying to access information?
- Time of attempted access to secure company information? During normal working hours or “off hours”?
- Type of device is used? Is it the same one used yesterday? Smartphone, personal laptop or office computer
- Public WiFi or private network?
A Level of Risk can then be calculated based upon the answers to these questions and then this can determine whether or not a user will be allowed to log in or be prompted for an additional authentication factor. The industry term for this additional security is risk-based authentication.
MFA in the Cloud Environment
As the use of Cloud Computing expands, MFA becomes even more important. Especially in the age of the pandemic and its “working remotely” requirement. Companies can no longer rely upon an employee or user being physically on the same network as a system or security factor. Additional security needs to be installed ensuring that those accessing the systems are permitted users. Users and employees may need access anytime and from any place. MFA can help Hosts safeguard that users are who they say they are by prompting for additional authentication. These are more difficult for hackers to imitate or use brute force methods to crack.
Cybercriminals spend their lives trying to steal information and a positive and compulsory MFA strategy is the best defense against them.
Contact a 10X Consulting Group team member by calling 704-931-1056 to help you develop an effective data security plan that will save your company time, headaches, and money in the future.