Multi-factor authentication also commonly known as MFA is an authentication process where more than one authentication mechanism is incorporated. A common implementation of MFA is the 2FA, which stands for 2-factor authentication. In a 2FA, two different authentication mechanisms are combined to successfully authenticate a user.
A common way to implement MFA is by providing-
- Something that the user knows: username and password
- Something that the user has: security token
- Something that you are: fingerprint
Many security driven applications today offer an optional 2FA mechanism which is used to allow a user to login to the desired application only after providing username/password combination, and another credential such as a token or a fingerprint.
As per PCI (Payment Card Industry) Data Security Standard, a card-driven environment, requires a multi-factor authentication for all connections outside the network or originating from a remote network.
Types of Multi-Factor Authentication:
MFA can be implemented in several ways. The most common method includes an initial password-based authentication followed by another authentication mechanism. The different types of MFA which can be incorporated are:
- SMS Verification:
- App-generated code:
- Physical tokens or authentication keys:
- App-based authentication
- Email Based system:
This method is similar to how an OTP (One-Time Password) works. The first time you use a service, you will be prompted to register a valid mobile number. For the subsequent transaction, a passcode will be sent on your registered phone. The passcode needs to be used while accessing the service, and a new passcode will be generated each time you login. This helps in keeping the system safe so long as the phone is safe.
There are few downsides to this method. In case the phone is misplaced or stolen, there is no way the user can be authenticated. If stolen, this can be potentially misused. This requires the phone to be always available and having network range to receive an SMS. SMS verification can also be susceptible to SIM swap attacks which can occur owing to flaws in the cellular network.
Examples of app generated code are Google authenticator and Authy. The advantage of using this method is, your phone does not always have to remain connected to a network. For some reason, if your phone faces a network issue, this can still work. One can install the app, scan the code the first time and the app will generate a new code every 30 seconds or 60 seconds each time you need an access to the application.
The "seed" used by the app to generate the code is stored on your device. So even if someone knows your phone number or intercepts the messages, this cannot be hacked. The downside of this method can also cause misuse if your mobile device is stolen or lost. Another issue is the nuisance of setting up the application code each time you acquire a new mobile device.
Many companies are creating a U2F (Universal 2 Factor) physical token to improve security. This needs to be placed on the USB port and simply press a button on it. The advantage is that the user does not have to type the access code. In future, these devices will work over Bluetooth or alternate technology to ensure removal of USB port dependency.
This is a better approach as compared to SMS verification since the one-time code cannot be intercepted. In case you happen to access a phishing site, the access code typed on the page can be easily captured and used to gain access to a real website. However, with a physical token, there is no user intervention. The physical authentication key works with the browser directly and the browser ensures it's communicating with a real website. So a phishing site attack can be avoided. This still has some areas to be considered such as a scenario where the physical key is misplaced or stolen. Similarly, there can be an issue in case of using more than one service which supports physical tokens.
In app-based authentication, the user does not have to provide an access token every time. So long as a certain app is available on your phone or device, you can continue accessing the services. Google offers a code-less authentication so long as the Google app is installed over the phone. In case you access Google services from another device, then you just need to tap a button on your phone.
A similar approach is used by Apple which does verification not at the app level, but at the iOS level. In case the user chooses to log in from a new device, a one-time use code is sent over the registered device such as iPhone or iPad. Such a method requires less user intervention and maintenance.
Another way to authenticate is by using the email based system. For instance, Steam Guard will prompt you to enter an OTP (One-time password) which is sent over email whenever a user logs in from a new device. This is not a very secure and convenient approach. However, there are applications which use email based system as part of MFA.
Benefits of Using Multi-Factor authentication:
- Security - MFA plays a key role in the security of systems. The multiple authentication channels make the system secure and keep it free from hackers. It serves as an added protection and eliminates the risk of intruders gaining access to the systems.
- Compliance – Certain businesses have a prerequisite of having provisioning for MFA. Few compliance guidelines such as PCI requires Multi-factor authentication/
- Flexibility and Productivity – Using an MFA, ensures robustness and flexibility of environment. A single password can be risky in several scenarios. In such cases having an MFA not only secures the system but also helps in improving the productivity.
Popular apps and services which support MFA:
Several popular apps have implemented 2FA (Two-factor Authentication) for additional security. Most of these by default have only single authentication enabled, however at any point 2FA can be enabled from the app Security Settings.
2FA is commonly used authentication mechanism by several apps and services. Few of these are- Google (Gmail), Facebook, Twitter, Instagram, Whatsup, Apple, Microsoft, Amazon, Yahoo, LinkedIn, Snapchat, Reddit, Pinterest, Slack, Dropbox, Evernote, Venmo, PayPal, TeamViewer, Tumblr, WordPress, GoDaddy and several others.
There are several apps which are migrating to MFA, to ensure better security and prevent any kind of data breach. Few of the popular services using MFA are – Amazon AWS, Microsoft Azure, and Rackspace.
Top MFA products include – CA Strong Authentication, Okta Verify, Quest Software's Defender, RSA Authentication Manager with RSA SecurID, SafeNet Authentication Service, SecureAuth IdP, Symantec Validation and ID protection service, Vasco IDENTIKEY Server and DIGIPASS.
Challenges of using Multi-Factor authentication:
- Cost- Based on the business, implementing an MFA could be costly. This is an additional layer of protection and would have an extra cost attached to it. Along with implementation cost, the support, tech guidelines and training needs to be provided which would also have a separate cost.
- Usability and Maintenance – In most cases, the password authentication is considered as the basic and there are sets of authentication factors which are implemented as additional. So the user needs to maintain password as per company policies as well as maintain the other authentication mechanisms.
- Complexity - In most cases, for small organizations, this is considered as complex and requires special technical expertise to handle multi-factor authentication. There is complexity in terms of migration, deployment, support, and maintenance.
- Backup – In cases where a separate device such as mobile is used to generate a token, if the device is lost then it is practically impossible to gain access. This would require some kind of a support to again set up the authentication mechanism.
- Knowledge – Any organization before implementing an MFA, should have technical expertise and evaluate the various feasible options to implement MFA. There are multiple ways and methods to implement MFA and requires a detailed understanding of the company’s infrastructure.