Beyond Passwords: Discovering Multi-Factor Authentication

For the average user, keeping her data private and safe is a priority. The same task is even more important for firms that need to keep their assets protected in order to be able to operate smoothly, as well as to maintain their reputation and competitive advantage.

The simplest and most popular line of defense is a standard password-based authentication. Surprisingly, even today, many corporate security systems rely entirely on “secret” passwords. This approach has a number of disadvantages. First, people tend to pick passwords that are easy to remember, which sadly makes them easy to guess. For example, a study by Morris and Thompson on password security found that over 15% of users picked passwords shorter or equal to three characters. Furthermore, they found that 85% of all passwords could be trivially broken through a simple, dictionary based, exhaustive search. Further, the user’s desire for simplicity often motivates them to pick the same password across multiple applications. While this makes authentication easier, it also increases the vulnerability of the involved platforms: if one password is cracked, then all applications are compromised. Finally, passwords can often be easier to crack if the attacker has access to the user’s personal information, such as her first name, last name or phone number, as this type of information is often used to populate passwords.

Stories on leaked and cracked passwords involving large corporations often find their way into mainstream media. Last year, 000Webhost, one of the world’s most popular free hosting firms, suffered a major data breach that exposed more than 13.5 Million of its customers’ personal records. The company repeatedly failed to pay attention to early warnings and did not follow fundamental and standard security practices to ensure the security of its customers. In annoyer recent high-profile case, a hacker offered to sell the emails and passwords of 360 million Myspace for a mere $2,800. In 2014, 2 million stolen Facebook, Yahoo, and Google passwords were posted online. Unsurprisingly, the stolen passwords were weak ones. The most frequently stolen password was “123456”, followed by “123456789”, “1234” and “password”.

Despite their shortcomings, passwords are not going to become obsolete any time soon. They are easy to use and can offer some protection if users are diligent and tech-savvy enough to use them properly. The problem is not that password-based authentication is useless: it is that it simply not enough. Thankfully, there is no need for a firm to bet the security of its treasures on user-selected passwords. The state-of-the-art has evolved to multi-factor authentication (MFA), an approach that combines several methods to introduce multiple layers of security between the attacker and the firm’s valuable information. These factors are typically based on:

•         Who you are  (voice, fingerprint, retina scanning)
•         What you know (passwords, passphrases, PINs)
•         What you have (smartcards, RSA tokens)
•         What you do (browsing patterns, access time and location)

Each of these factor types comes with its own advantages and disadvantages. For instance, biometrics are unique and very hard to replicate but also quite expensive to implement. In addition, while adding more factors can indeed lead to a more secure infrastructure, this will only happen if the final set includes complementary factors from different types that cover each other’s vulnerabilities to different attack methods. Therefore, it is critical for a firm to seek professional help in order to choose the factor combination that best fits its budget, circumstances, and security needs.

Traditional password-based authentication had its run but it is no longer enough to address the threats of the modern digital world. MFA is here to stay and it is up to us to educate ourselves and our peers on how it works and what it has to offer.