It’s Monday morning. You sit at the computer, enter your login credentials, slam the ‘Enter’ button, and sigh when your phone goes off in, what always seems to be, any room but the one you’re in.
Yes, the ritualistic hunt for your phone has its purpose. Let’s talk about multi-factor authentication, or MFA.
Put simply, MFA is a method of authentication requiring more than one form of verification to ensure it’s you trying to authenticate and not an imposter. But just how successful is MFA at detecting impostors?
In this article, we’ll dive into three of the most common factors used in multi-factor authentication and evaluate which ones are best at keeping you safe.
Factor #1: Something You Know
Nearly every website or application starts its authentication process with a form of something you know.
Something you know includes any static piece of information that, theoretically, only you should know. Think of things like security questions, personal identification numbers, zip codes, and of course, passwords.
By itself, something you know has serious security limitations. This is mainly because it’s impossible to distinguish a user from an imposter that obtained a user’s personal information.
Even the best forms of something you know of are still vulnerable to the following techniques:
- Credential dumping
- Outdated hashing algorithms
- Malware/Input Capture tools
- Forced SMB/WebDAV authentications
- Pluggable authentication module (PAM) modifications
- Golden Ticket/Kerberoasting
- Outdated protocols
Factor #2: Something You Are
Also known as Biometric Authentication, something you are is an authentication factor that verifies users by their unique biological characteristics.
This includes things like fingerprint scanning, iris scanning, facial recognition, and even detecting the unique beat of one’s heart.
The security efficacy of something you are appears promising; however, this factor also comes with ethical concerns. Using biometrics means organizations need to store personally identifiable information (PII) and protected health information (PHI), which could introduce more compliance liabilities than they may want to take on.
Factor #3: Something You Have
Something you have is an authentication factor that verifies users through physical items in their possession.
The thought process behind this factor can be traced back to the simple lock and key. It’s reasonably assumed that if you alone have the key to your safe, the contents of your safe remain secure.
When you apply this analogy to MFA, the safe becomes your account and the key becomes one of two types of tokens:
- Connected/contactless tokens: Physical items that either plug into a system (USB keys, disks, drives, etc.) or use contactless technology such as radio frequency identification (RFID) or near-field communication (NFC) to authenticate a user.
- Disconnected tokens: Physical items that do not plug into a system and can authenticate a user regardless of their location by generating a one-time password or similar credential.
Disconnected tokens sent through a cell phone are what most people think about when they hear MFA. Common forms of this include push notifications, text messages with one-time passwords, and apps with rotating pins.
The Consensus: Is MFA Worth the Hassle?
The vast majority of MFA solutions still have blaring security vulnerabilities.
For one, threat actors are still able to insert themselves between a user and the application the user is authenticating to, stealing their passwords and one-time verification codes in the process. They can also set up phony websites that mirror the MFA process of legitimate websites, as well as steal users’ session cookies to take control of an authentication session altogether.
When it comes to simple hacks, however, MFA is an essential way to stay protected. Something you are and something you have are the more secure factors, but a combination of factors is even better.
And for those who wish to take their MFA process even deeper, composite authentication is a MFA model with factors such as what you do (how a user types, clicks, or swipes on their device) and when/where you act (where a user logs in from and at what times they typically use their device).
Remember — when it comes to choosing your authentication factors, some is good, more is better, and too much is just right.
SP6 is a niche technology firm advising organizations on how to best leverage the combination of big data analytics and automation across distinct (3) practice areas:
- Cybersecurity Operations and Cyber Risk Management (including automated security compliance and security maturity assessments)
- Fraud detection and prevention
- IT and DevOps Observability and Site Reliability
Each of these distinct domains is supported by SP6 team members with subject matter expertise in their respective disciplines. SP6 provides Professional Services as well as ongoing Co-Managed Services in each of these solution areas. We also assist organizations in their evaluation and acquisition of appropriate technology tools and solutions. SP6 operates across North America and Europe.