What is multifactor authentication, why and when should we use it?

Any sort of authentication simply entails proving you are who you say you are. In a technology context that means access to protected information, systems, or locations, requires you to prove your identity with specific access credentials.

Assuming your credentials meet the challenge /response authentication requirements required, you will be able to access specific data or locations dependant on the permissions associated with your account (Identity and Access Management)

Multi-factor authentication requires a user to provide two or more pieces of evidence (of their identity) in order to gain access to a system or specific data.

Types of authentication factors

  • Knowledge factors – something the user know: This could be a password, a passphrase, or a PIN. Single factor authentication is no longer accepted as a credible authentication factor. All too often social media make the answers all too easy to find or guess.
  • Possession factors -something the user has: add an additional factor with a security token possessed by the use; this may take the form of an access card, key fob, or another physical security token. One-time password/code generated by the system and received by the user via SMS or authenticator app (Google, Microsoft, DUO etc) are also common methods of achieving a possession factor).
  • Inherence factors – (something the user is or does in a particular way: This refers to a biometric characteristic of the user; including fingerprint, palm print, iris, face/voice recognition etc

Contextual information

Information about the location, or the device a request is made from may also be used to assess if a login attempt is genuine and validate authentication.

Location: The physical location of the user/device when they are logging in. Users logging in from unusual or prohibited locations may be denied access.

Time: Many systems are configured to deny login attempts outside of standard business hours. A user who attempts access from geographic locations separated by significant distances in an impossibly short space of time could also be denied access; this can cause issues with users who are able to do so legitimately using VPNs or cloud-based locations.

Which MFA?

Two-factor authentication (2FA): Still probably the most common MFA in use; requires two authentication factors before access is granted to a system.

Example: a user is required to provide a valid user password (knowledge factor) and one-time password/code (possession factor) provided by the system and sent via SMS or generated via an authentication app on the user’s device/smartphone.

Whilst still widely used, 2FA is losing credibility as an affective method of securing a system as attackers develop methods to bypass its protection.

Three-factor authentication (3FA):  Adds a third layer of protection (and therefore a higher level of security), requiring users to provide three distinct authentication factors. This could be a password, a security card and fingerprint; or a PIN, a one-time and face or voice recognition.

Why is MFA increasingly important?

The increase in remote workers has posed serious challenges to IT security teams and building robust security to protect data and information has become a key focus. Deploying MFA is one of the tools that can be brought to bare to mitigate compromised user credentials – how many organisations actually check their user credential exposure on the dark web?

What you should be doing right now!

  • Implement strong password management policies (if you’re not sure what this looks like contact, us)
  • Standardise on a good password manager across your organisation
  • Run scans for compromised user credentials on the Dark Web (contact us if you need assistance)
  • Implement MFA, in combinations that make sense for your business operations, specific users, industry standards or level of risk
  • Use single sign-on (SSO). One login for multiple accounts reduces your vulnerability and makes life easier for your users.
  • Implement authentication, without using passwords at all, if possible
  • Adopt a zero-trust approach to user authentication and validation (see our blog Zero Trust-borderless-security)
No alt text provided for this image