Why and when do we use Multi-Factor Authentication?

This article provides guidance on what multi-factor authentication is and why it’s so important, how the factors came up, the different multi-factor authentication methods that exist and why some methods are more secure, and therefore more effective than others.

As IT and security professionals we tend to love the TLA’s (Three Letter Acronyms), which is like a secret language. If you’re not privy to the inner workings, you’ll soon start paying attention to more pertinent things than the fact that your sites need to upgrade to Extended Validation (EV) SSL Certificates, the admins definitely need better SSH key management and your IAM solution lacks OAuth and UDF capabilities. MFA is another very important acronym to add to the list and is something every web-facing application owner should be aware of. There’s plenty of regulatory pressure in many verticals pushing online services and applications towards stronger alternatives in user authentication than passwords. The owners of these applications also need to understand how an efficient usable MFA scheme has to be built and what they should look for in the market, as this can work as a competitive advantage.

What is Multi-Factor Authentication?

MFA is the process of identifying an online user by validating two or more claims presented by the user, each from a different category of factors. This is one of the most effective controls an organisation can implement to prevent an enemy from gaining access to a device or network and accessing sensitive information. You may have also heard it referred to as its variant forms like step-up authentication, advanced authentication, 2-step verification and 2-factor authentication.

The three basic elements that can be used in MFA are:

  1. something the user has, like a mobile device; and
  2. something the user is, a behaviour like a fingerprint, optics or voice and compared to the previously recorded data; and
  3. something the user knows, like a pin number or a password.
Why and when do we use Multi-Factor Authentication? 1

The principle of MFA is that there is no perfect authentication factor. Anyone factor that is implemented will have its strength and weaknesses. The concept of multi-factor authentication is that a second or third factor will compensate for the weakness of the other factor/s and vice-versa.

How did the Factors come up?

Historically, first came the computer system where everyone thought that it would be good to store confidential information, and the password was born when this information needed protection. Passwords and other secrets (PIN-code, passphrase) that rely on your memory, constitute a factor. Another widely used memory-based secret is the question and answer to which only you should know the answer to. But easy to remember answers tend to be also easy to discover by a third party. Harder answers, on the other hand, are more difficult to remember by the user. The secret is usable if you remember it, but everyone is likely to forget. Fortunately, both cases have recovery options but are very complex and time-consuming.

Better security, something that didn’t rely on the memory of the user, something that was harder to give to someone else or discovered by breaching the database of stored secrets (passwords), was needed. The second factor was born in the form of PKI smart cards and USB-tokens. One-Time-Password lists or tokens meant that the user was in possession of something that was small and could be carried by themselves (like a mobile phone these days).

Time marched on and criminals found new ways to breach some of these second factor systems. The amount of confidential information in applications and databases grew and more people needed access to that information. This was when it was discovered that the user can also act as a factor.

Why are “Multi’ Factors needed?

An MFA scheme has different factors. An authentication scheme using different implementations of the same factor does not constitute an MFA scheme. For example, a password combined with a Q&A is not a multi-factor authentication method. A subset of MFA is two-factor authentication (2FA – again with the TLAs) which is also called strong authentication, combining two of the factors. All of these terms are ambivalent, leaving room for interpretation, except that multi-factor method uses more than 1 factor.

Within the factor category, we have several different implementations. When you consider implementing an MFA scheme for your application, you must always consider the usability of the implementation. A good MFA method combines two or more factors and is often easier and more convenient to implement than the first computer-based authentication method, the password.

Why is Multi-Factor Authentication important?

Your employees need to connect to your organisational resources in increasingly complicated scenarios. They need to connect from organisation-owned, personal and public devices, on and off the corporate network using smartphones, tablets, PCs, and laptops, often on multiple platforms. In this always-connected, multi-device and multi-platform world, the security of user accounts is more important than ever. Passwords, no matter their complexity, used across devices, networks, and platforms, are no longer enough to ensure the security of the user account, especially when users tend to reuse passwords across accounts. Sophisticated phishing and other social engineering attacks can result in usernames and passwords being posted and sold across the dark web.

Criminals simply focus and adapt their tactics to locate and steal the data they find to be of most value. As their number and scope continue to increase, many companies are recognising the threat of data breaches. These days cybersecurity has become a top priority for many organisations, especially with the rise of cloud communications. Companies continue to transition to more cost-efficient cloud-based solutions. To address this concern, the majority of companies are implementing MFA and the MFA market is expected to double by 2022, compared with the year 2016. This shows that a lot of organisations think that MFA is, right now, an essential component of cybersecurity. It’s one of the best security measures you can implement to protect your company, users, and sensitive data.

How much of a fraud target is my business? 

Every type of organisation is at risk. Due to a multitude of factors such as your business model, the type of data transmitted and retained, customer base, and even the various technologies needed to secure your environment, certain industries are more prone than others to specific kinds of attack. By knowing where an attack is most likely to occur, you have the opportunity to optimise your resources and drive budget allocation.

If you’re a business like an accounting firm, a car dealer, a healthcare organisation, or anyone that stores customer data that could be valuable to hackers, your organisation may be more of a target. This is an indicator that you should focus more on security. In the accompanying graph, this may mean pulling the middle diagonal line up and into the green to require MFA in more scenarios than other companies might require.

If your customers rely heavily on your products or services and it would be difficult for them to change services, you may want to prioritise security instead of worrying that they’ll switch to a competitor if you require MFA slightly too often. This is especially true if you store sensitive customer data that may be a target for fraud.

Work with Managed IT Team in Perth

So, how can you determine when MFA should be required? The answer lies in striking the right balance between security and convenience with adaptive authentication. The team at Xenex Systems can assist you in taking the steps in planning and implementing the right MFA scheme for your business. Register here for a free audit with us.