Multi-Factor Authentication (MFA) is the future of personal and corporate security, a security enhancement that requires users to present at least two pieces of evidence (aka: credentials) in order to gain access to information, systems, or applications.
A credential is:
- Something you know (password, PIN, etc.)
- Something you are (fingerprint, voice, etc.)
- Something you have (smart card, badge, etc.)
With MFA, entering two different passwords would not be considered valid, as these fall under the same category factor (something you know).
Taking Security to the Next Level
Let’s go through a process you may be familiar with: logging into your online bank account. First, and most typically, a user will find their way to their bank’s website and then type in a username and password, which logs them in. For a person with malicious intent, this is the ideal scenario.
However, little does that bad person know, you now require another factor of authentication to sign you in: third-party text messaging. This form of MFA sends a randomly generated code to your phone, which is only valid for a brief period of time. Once entered, the user is granted access to their account through the multiple factors of authentication. But without the phone and subsequent code no access would be granted.
The best part is, most sites or applications using MFA will remember the secondary method of authentication, and the device being used, so the process is automated every time the user wants to log in. The only person doing extra work is the one trying to break into your account!
When is MFA necessary?
You should use MFA whenever possible, especially when it comes to your most sensitive data (primary email, financial accounts, health records, etc.). Most organizations already include MFA with the setup of an account. Often, however, you may need to take the initiative to set it up and turn it on. With the power of technology constantly evolving and growing stronger, usernames and passwords are no longer enough.
Possible Disadvantages of MFA
While MFA is a great option, it’s not without disadvantages. For example, users may still be vulnerable to phishing attacks, where an attacker sends a text message that links to a spoofed website that looks identical to the actual website. In this case, the attacker can use SIM cloning (gives hackers access to mobile phone connections), social engineering attacks (SIM duplicating, phony phone calls to retrieve the code, etc.), or use an IMSI-catcher to intercept the incoming text message from the MFA source.
Aside from hackers doing what they do best, MFA users also face the possibility of no cell signal or lost, stolen, and/or dead phones while trying to access their data. Unfortunately, with most sites and applications, only one method of MFA can be selected, so if that second factor is unavailable, it may cause issues with logging in. But in most cases, if something like this happens, users can call the organization directly and have them reset access settings (of course after successfully verifying themselves!).
Corporate Implementation Considerations
Many MFA products require the business to deploy client software to make the MFA systems work. Some of these vendors provide separate installation packages for network login, VPN connections, and Web access credentials.
Network login products may require four or five software packages be pushed down to the client PC in order to make use of the MFA method. This translates to four or five packages in which version control has to be performed, and potential conflicts with business applications that must constantly be checked.
Web access or VPN MFA overhead is usually limited because it can usually be outlined above to a single application. For example, a VPN connection can require a random code generated through a very specific application to allow that connection. Often, these generated numbers have a short life span before changing again, ultimately making it difficult for a user with malicious intent to gain access to the data.
Organization size, budget, and level of data sensitivity should be taken into consideration when determining what method of MFA should be deployed.
Looking at deployments of MFA schemes has shown the primary element that tends to impact adoption is the line of business of the organization deploying the system. For example, the U.S. Government employs an elaborate system of physical tokens (which themselves are backed by a very strong Public Key Infrastructure). On the other hand, private banks are a great example of providing an easy (and less expensive!) MFA process for customers, such as an app installed onto a customer-owned smartphone.
Despite these variations, once an MFA solution is deployed, it tends to remain in place. Users will invariably acclimate to the presence and use of the system and will likely embrace it over time as a normalized element of their daily interaction with the organization.
If you’d like assistance implementing an MFA solution for your organization, please don’t hesitate to reach out to Anexinet, we would be happy to discuss your MFA options and help you determine which solution works best for your specific situation.
Cloud Security Architect