What is Multi-factor Authentication?
By Ryan M. Norchi
February 22, 2021
If living entirely off the grid sounds inconvenient but you are aware that data breaches and password hacks are becoming increasingly more common every year, perhaps you are in search of a high quality security system that is not overly complicated. Hacking techniques are getting better all the time, but some of the best security practices do feel unnecessarily complicated. In search of a relatively convenient authentication practice that is not overly complicated, many people and companies are turning to two-factor authentication.
What is Multi-factor Authentication?
Two-factor authentication (2 FA) as the name suggests, requires two separate keys from the user to access a network or profile. Typically, users need only a password and a username to access an account, whereas 2 FA adds an additional layer of security. Common security factors generally include something the user knows, something the user has, or something the user is. Something the user knows would be a pin number, or password. Something the user has would be a phone, computer, card or device. Something the user is would be a biometric layer of security, this could be a thumbprint or facial recognition. For example, ATM machines already use two factor authentication; a debit card would be something the user has, while the pin number would be something the user knows. By requiring that users not only know a password, but are also in possession of a particular phone, 2 FA is one of the more common ways that system security can be strengthened.
Companies and individuals alike are increasingly turning to multi-factor authentication (MFA). Individuals often do this by downloading one of several potential apps for their phone, such as Microsoft authenticator. Implementation on a company-wide scale might require that multiple software packages be downloaded on every client computer for their server. Though individuals, unlike businesses, can likely find an app for their phone that facilitates multi-factor authentication, and therefore do not have to worry too much about compliance and other major weaknesses. While it is true that multiple layers of security are always going to be better than one layer of security at keeping users safe, it is also important to understand some of 2FA’s weaknesses and compliance requirements before proceeding with implementation.
Many of the major risks involved with using multi-factor authentication are relevant when using Short Message Service (SMS) login as the second factor. Still better than a single password, SMS login sends a pin number or passcode to the user’s phone after use of a correct username and password. This might seem secure, as any hacking attempt without the phone of the victim should be rendered useless. The security weakness here doesn’t lie within the coding, but in the SMS process itself. SIM hacking, Man in the Middle (MITM), and other attacks on the (SMS) infrastructure are what render SMS login relatively insecure. SIM hacking, specifically, is a risk regardless of security. A SIM hack usually involves the hacker calling your service provider, pretending to be you, and reactivating your number on a different SIM card. The only security against SIM hacking attempts are your carrier, and the security questions required to reprogram your phone number onto a different SIM card. If you are awake, and using your phone or email regularly throughout the day, you may even notice a successful attempt early enough to limit damage. SMS relies on structures being in place that are relatively vulnerable themselves to hacking in ways that can otherwise be avoided. This is why only about 2% of multi-factor authentication used in 2019 was SMS based. It is still important to acknowledge, however, that 2 factor authentication is always better than one, although we should be moving away from SMS as an authentication factor moving forward.
While some login services, such as humanID for businesses or apps for individuals, don’t share many security weaknesses with SMS login, there are still benefits and disadvantages to any system that is used. Many multi-factor authentication rely on push notifications, phone calls, or physical tokens, all of which require the user to have something in their possession when they wish to use their account. The misplacement of a phone or wallet could mean being locked out of a system temporarily. This is why many systems have account recovery protocols in place, but it is also possible for these to be a potential point of weakness as well.
The weakness of passwords, or something you know, is well documented. The response to single sign-on passwords’ weaknesses is to add additional security layers. But as we have discussed, these security layers have weaknesses of their own. Some of these weaknesses, however, are relatively easy to manage. The weakness of requiring a phone, or something you have, is that the item in question could be lost, stolen, or left at home.
One promising solution is to look into biometrics, something you are, as potential security. Apple has already implemented biometric security in the form of thumbprints for recent iPhone models. This is likely the direction of the future, as replicating fingerprints, and hacking facial recognition software is much harder than going after passwords. If you look for authentication technology that utilizes biometric security protocols and is not over budget, you will probably run into the only major hurdle; it lacks standardization and proliferation. The technology and software do currently exist, however implementation of the software can run a hefty price and may not be compatible with some systems. Furthermore, although replicating biometric data is especially difficult, it is still possible to do so, and likely only going to become easier overtime as the technology continues to gain traction.
Companies are required to ask for permission before taking biometric data
The issues concerning biometric data can really only be ameliorated or exacerbated with time. More research and development will allow the technology to become more accurate, safer, cheaper, and compatible with more systems. The hacking potential technically remains, although at the moment it is still one of the safer, and more user-friendly methods of authentication. Coupled with other security protocols, biometric data could potentially become standard for more than just iPhones and building access.
Given the current limitations of using biometric data as a second authentication factor, it makes sense that, for the time being, anyone looking to implement multi-factor authentication for additional security would stick to factors that fall under something you know, or something you have. Requiring employees to carry cards, USB sticks, or some other physical encryption key is not likely to be the answer. These types of physical tokens can be misplaced, forgotten, stolen, or lost. It is much more efficient to carry out this method by using cellular devices as the “something you have.” While we have already discussed the security concerns with using SMS one-time passwords, there are currently a handful of applications that are downloadable on phones that use generated push notifications to bypass the SMS system for added security. This is of course still going to be difficult to implement for users that do not own smartphones, or are simply less than tech savvy, but it is convenient, and much more secure than SMS or relying on passwords alone.
Additional security is not the only reason to switch to multi-factor authentication (MFA). Some professional industries, such as the finance or healthcare industry, require institutions like banks and hospitals to maintain a minimum level of security to protect their clients. Anyone that has used an ATM has experience with mandatory 2 FA, (know a pin number, and have an ATM card). Any financial institution that processes and stores card payment information is required to carry at least 2FA. Most other organizations that maintain financial data from clients have some level of security requirement that can be fulfilled through use of MFA. Additionally, Any organization that collects healthcare data about clients is liable under the Health Insurance Portability and Accountability Act (HIPAA). This includes not only hospitals and health insurance companies, but also medical malpractice lawyers and medical professionals working with athletic teams. Any entity that carries healthcare data about clients is required to meet minimum security standards. This is similar to most financial regulations in that MFA is not necessarily mandatory, but it does fulfill the minimum requirement.
Any entity with financial or healthcare records of its clients will be required to maintain some level of baseline data security, and multi-factor authentication will often do that trick. Even when unnecessary, any person or business with sensitive data ought to consider using at least 2 factor authentication to help prevent data breaches as much as possible. Push notifications, and phone calls are the best authentication methods for phones, while encryption keys, cards, and other physical tokens will be even more secure, though they come with additional hassle. It is possible that biometrics could become the preferred authentication method of the future, but for now the technology is quite expensive, and difficult to implement. If it isn’t required in your industry for compliance purposes, still consider using multi-factor authentication whenever possible. Certain laws, such as the California Consumer Privacy Act (CCPA), regulate the collection of data. If convenience is important to you, but you don’t want to use a sign-on service that collects and shares data, or is easy to hack via SIM Hacking, the safest service to consider is probably humanID.