Traditional user ID and password logins are an outdated method of safeguarding access to data.
To ensure that logins, transactions and any other access requests are genuine and legitimate, it is essential to have several layers of verification. That way, if one layer is compromised the unauthorized person seeking access to a device, network, database or physical location still has one or more layers to breach.
Without MFA, cyber criminals can easily bypass a security system and cause organizations and individuals to incur severe losses.
What is multi-factor authentication and why is it important?
This method of protection is known as multifactor authentication (MFA) and it is at the heart of identity and access management systems.
Rather than just entering a password or personal identification number (PIN), MFA requires two or more types of authentication from separate categories of credentials to ensure that the login or transaction request is from a trusted source.
Previously, security technology systems that comprised two layers of protection were known as two-factor authentication (2FA) systems. Nowadays, the term MFA is preferred for denoting an authentication system utilizing at least two credential signifiers to confirm the user’s identity.
MFA is important as cyber-attacks and online scams are on the rise, costing consumers and organizations huge sums of money. It’s all too easy for an attacker to use sophisticated password cracking tools, or other brute force methods, to gain unrestricted access and do serious damage.
Having an MFA system in place significantly reduces this security risk, with Microsoft estimating it limits the likelihood of unauthorized access by as much as 99 percent.
How does multifactor authentication work?
The types of credentials used by MFA systems can be broken down into three categories:
- What the user knows
- What the user has
- Who the user resembles
This often takes the form of a personal question that only a legitimate user would know the answer to, such as their mother’s maiden name, a PIN, or a one-time password (OTP).
This is a form of protection that is familiar to just about anyone that has used a bank card or has a social media account.
As well as knowing the PIN, to access funds on a bank account from an ATM you typically need the bank card. This is also a form of possession-based authentication.
Other forms include a key fob, token, or phone SIM card. The latter is becoming increasingly common for online transactions and login requests, whereby a person’s smartphone receives an OTP or code that serves as verification.
Security tokens, meanwhile, perform much the same function but take the form of, for example, a Universal Serial Bus (USB) drive or a wireless tag.
This refers to the physical characteristics of the user and is otherwise known as biometric verification methods. Multifactor authentication examples of this form include retina, fingerprint and digital signature scans, voice authentication, facial recognition, and hand and earlobe geometry.
Many smartphones now come with this capacity, otherwise it’s possible to download a multifactor authentication app that includes biometric traits. The user must initially provide certain biometric information, their fingerprint for instance, and this information is then stored and used as the reference point for future login attempts.
Other multifactor authentication examples
User location is another method adopted in MFA systems. It relies on GPS tracking from the user’s smartphone or their IP address to confirm that the login request is legitimate. If, for example, there is no need for an authorized user in a team that’s based in the US to access shared data from Europe, then it’s possible to simply exclude login attempts from outwith the US.
Another method used in MFA systems is time-based authentication. For example, someone can’t use their bank card at an ATM in the US and then do the same 20 minutes later in the UK. As such, banks make use of time-based authentication to prevent fraud.
Advantages and disadvantages of multifactor authentication
Every security system is imperfect. MFA helps restrict access to data and networks, but there are also drawbacks to be aware of.
- Provides extra layers of security
- Easy to set up
- Real-time OTPs are difficult to crack
- Allows organizations to restrict access based on the user’s location and the time of the requests
- Scalable options, from basic MFA systems to highly sophisticated setups
- Phones, tokens and key fobs can all be lost or stolen
- Users often forget their PIN, password and answers to security questions
- Users sometimes share PINs, passwords and answers to security questions
- The user must have their smartphone, device, key fob or token on them at all times
- Biometric data are not always accurate
Overcoming the weaknesses of MFA
MFA is a balancing act between system security and simplicity for the user. If the MFA is too complicated, it will frequently restrict access for legitimate users.
To simplify MFA without compromising on security, the following three approaches are being increasingly adopted.
1. Adaptive MFA
Adaptive MFA is not as rigid as standard MFA systems. Certain locations or times could exempt the user from having to enter their credentials. For instance, logging in from home would be acceptable but an attempt from a public location that’s never been used for a login before would trigger an authentication request.
2. Single sign-on (SSO)
SSO allows users to log in to multiple accounts or applications in one go. After verifying the user’s identity, SSO informs the other restricted access points that the request is legitimate. As with Adaptive MFA, this means the user doesn’t have to enter their credentials multiple times.
3. Push authentication
Typically used with smartphones, push authentications work by sending a single-use code to the user’s device. After entering their user ID and password, they automatically receive a code that they must enter to gain access. This reduces the number of codes and passwords that the user has to remember.
Setting up MFA for your business and customers
If your organization is yet to adopt an MFA strategy to protect your data and that of your customers, or you’re thinking of an upgrade, get in touch with us at Vertikal 6 for a free strategy session to discuss your needs.