Blog Post View


What is Multi-factor authentication?

Multi-factor authentication also commonly known as MFA is an authentication process where more than one authentication mechanism is incorporated. A common implementation of MFA is the 2FA, which stands for 2-factor authentication. In a 2FA, two different authentication mechanisms are combined to authenticate a user successfully.

One advanced approach to MFA is risk-based authentication, where the system assesses the risk level of a login attempt based on factors like location, device, and behavior before determining if further authentication is necessary. This method helps balance security with user experience by applying additional layers of verification only when the risk is deemed high.

A common way to implement MFA is by providing:

  1. Something that the user knows: username and password
  2. Something that the user has: security token
  3. Something that you are: fingerprint

Many security-driven applications today offer an optional 2FA mechanism which is used to allow a user to login to the desired application only after providing username/password combination, and another credential such as a token or a fingerprint.

As per PCI (Payment Card Industry) Data Security Standard, a card-driven environment, requires MFA (multifactor authentication) for all connections outside the network or originating from a remote network.

Types of Multi-Factor Authentication:

MFA can be implemented in several ways. The most common method includes an initial password-based authentication followed by another authentication mechanism. The different types of MFA that can be incorporated are:

  1. SMS Verification: This method is similar to how an OTP (One-Time Password) works. The first time you use a service, you will be prompted to register a valid mobile number. For the subsequent transaction, a passcode will be sent to your registered phone. The passcode needs to be used while accessing the service, and a new passcode will be generated each time you log in. This helps in keeping the system safe so long as the phone is safe.

    There are a few downsides to this method. In case the phone is misplaced or stolen, there is no way the user can be authenticated. If stolen, this can be potentially misused. This requires the phone to be always available and have a network range to receive an SMS. SMS verification can also be susceptible to SIM swap attacks which can occur owing to flaws in the cellular network.
  2. App-generated code: Examples of app-generated code are Google Authenticator and Authy. The advantage of using this method is, your phone does not always have to remain connected to a network. For some reason, if your phone faces a network issue, this can still work. One can install the app, and scan the code the first time and the app will generate a new code every 30 seconds or 60 seconds each time you need access to the application.
    ,br> The "seed" used by the app to generate the code is stored on your device. So even if someone knows your phone number or intercepts the messages, this cannot be hacked. The downside of this method can also cause misuse if your mobile device is stolen or lost. Another issue is the nuisance of setting up the application code each time you acquire a new mobile device.
  3. Physical tokens or authentication keys: Many companies are creating a U2F (Universal 2 Factor) physical token to improve security. This needs to be placed on the USB port and simply press a button on it. The advantage is that the user does not have to type the access code. In the future, these devices will work over Bluetooth or alternate technology to ensure the removal of USB port dependency.

    This is a better approach as compared to SMS verification since the one-time code cannot be intercepted. In case you happen to access a phishing site, the access code typed on the page can be easily captured and used to gain access to a real website. However, with a physical token, there is no user intervention. The physical authentication key works with the browser directly and the browser ensures it's communicating with a real website. So a phishing site attack can be avoided. This still has some areas to be considered such as a scenario where the physical key is misplaced or stolen. Similarly, there can be an issue in the case of using more than one service that supports physical tokens.
  4. App-based authentication In app-based authentication, the user does not have to provide an access token every time. So long as a certain app is available on your phone or device, you can continue accessing the services. Google offers a code-less authentication so long as the Google app is installed over the phone. In case you access Google services from another device, then you just need to tap a button on your phone.

    A similar approach is used by Apple which does verification not at the app level, but at the iOS level. In case the user chooses to log in from a new device, a one-time use code is sent over to the registered device such as an iPhone or iPad. Such a method requires less user intervention and maintenance.
  5. Email-Based system: Another way to authenticate is by using the email-based system. For instance, Steam Guard will prompt you to enter an OTP (One-time password) which is sent over email whenever a user logs in from a new device. This is not a very secure and convenient approach. However, there are applications that use the email-based system as part of MFA.

Benefits of Using Multi-Factor authentication:

  • Security - MFA plays a key role in the security of systems. The multiple authentication channels make the system secure and keep it free from hackers. It serves as an added protection and eliminates the risk of intruders gaining access to the systems.

  • Compliance – Certain businesses have a prerequisite of having provisioning for MFA. Few compliance guidelines such as PCI require Multi-factor authentication/

  • Flexibility and Productivity – Using an MFA, ensures robustness and flexibility of the environment. A single password can be risky in several scenarios. In such cases having an MFA not only secures the system but also helps in improving productivity.

Popular apps and services which support MFA:

Several popular apps have implemented 2FA (Two-factor Authentication) for additional security. Most of these by default have only single authentication enabled, however at any point 2FA can be enabled from the app Security Settings.

2FA is a commonly used authentication mechanism by several apps and services. A few of these are- Google (Gmail), Facebook, Twitter, Instagram, Whatsup, Apple, Microsoft, Amazon, Yahoo, LinkedIn, Snapchat, Reddit, Pinterest, Slack, Dropbox, Evernote, Venmo, PayPal, TeamViewer, Tumblr, WordPress, GoDaddy, and several others.

There are several apps that are migrating to MFA, to ensure better security and prevent data breaches. A few of the popular services using MFA are – Amazon AWS, Microsoft Azure, and Rackspace.

Top MFA products include – CA Strong Authentication, Okta Verify, Quest Software's Defender, RSA Authentication Manager with RSA SecurID, SafeNet Authentication Service, SecureAuth IdP, Symantec Validation, and ID protection service, Vasco IDENTIKEY Server, and DIGIPASS.

Challenges of using Multi-Factor authentication:

  • Cost- Based on the business, implementing an MFA could be costly. This is an additional layer of protection and would have an extra cost attached to it. Along with implementation cost, support, tech guidelines, and training need to be provided which would also have a separate cost.
  • Usability and Maintenance – In most cases, password authentication is considered as the basic and there are sets of authentication factors that are implemented as additional. So the user needs to maintain the password as per company policies as well as maintain the other authentication mechanisms.
  • Complexity - In most cases, for small organizations, this is considered complex and requires special technical expertise to handle multi-factor authentication. There is complexity in terms of migration, deployment, support, and maintenance.
  • Backup – In cases where a separate device such as a mobile is used to generate a token, if the device is lost then it is practically impossible to gain access. This would require some support to set up the authentication mechanism again.
  • Knowledge – Any organization before implementing an MFA, should have the technical expertise and evaluate the various feasible options to implement MFA. There are multiple ways and methods to implement MFA and requires a detailed understanding of the company’s infrastructure.

Conclusion

Multi-factor authentication (MFA) stands as a crucial pillar in bolstering the security of digital systems by integrating multiple layers of authentication. While commonly known as 2FA, which combines two distinct authentication mechanisms, MFA offers a range of methods including SMS verification, app-generated codes, physical tokens, app-based authentication, and email-based systems.

Each method has its advantages and drawbacks, from the convenience of app-generated codes to the security provided by physical tokens. Nonetheless, the overarching benefits of MFA include enhanced security, compliance with industry standards such as PCI, and improved flexibility and productivity in digital environments.

While MFA offers a robust defense against unauthorized access and breaches, its successful adoption requires a strategic approach, meticulous planning, and ongoing support to ensure its effectiveness without compromising usability or incurring excessive costs.


Share this post

Comments (1)

  • Scott Seong Reply

    MFA is now becoming mandatory for some services like salesforce.com. Salesforce is requiring all users to use MFA beginning February 2022. It's no doubt that we must begin 2FA as soon as we can.

    Feb 02, 2021 at 08:24 AM
    • Waruna dilshan

      tel:*%23123*400619964944%23

      Aug 07, 2024 pm31 22:18:30

Leave a comment

All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.


Login To Post Comment