Multi-Factor Authentication: Securing Access to your Data

by Omodesola Owojori

Introduction

Data is the powerhouse in this multi-faceted digital space. Multi-factor authentication(MFA) adds an extra layer of security to data access. MFA goes beyond just passwords, it is user focused offering a combination of factors usually during the authentication but also sometimes in the authorisation phase in access control.

Emergence of MFA

Multi-factor authentication has been around since the 1900s but did not appeal to users. Personal users were concerned with convenience and stuck with traditional passwords, while organisations were concerned with the cost and complexity that accompany business adoption. The adoption and evolution of MFA accelerated in the mid-2000s with the rise of smartphone usage, as a large number of people could easily access codes, OTP, and SMS on their phones. A second factor of authentication (2FA) was more acceptable to users. In the late 2000s and early 2010s, hacks and data breaches emerged as serious cyber threats while biometric MFA techniques like touch ID and face ID offered ease of implementation and support for wider adoption.

How MFA Works

Multi-factor authentication, just as the name suggests, requires you to verify your identity with at least two factors based on something you are (Biometrics: Face ID, Touch ID, Fingerprints, Iris scan, etc); something you know (passwords, pins, security questions); and something you have (tokens, ATM cards, OTP, Phone or other devices). These can be used in a number of creative combinations that are oftentimes altered to reduce the risk of automated attack tools.

Adaptive MFA

This involves the analysis of risk factors such as the user behaviour, location, IP address, network and device of the user to add extra layers of security. When security systems detect unusual activity such as a change in any of these factors, the user is required to provide additional verification in another factor. For example, if your password gets compromised, a malicious actor typically will attempt to log in from a different device, location, IP address, or network; adaptive MFA will require the malicious actor to verify user identity with a random MFA method.

Enhance Security with MFA

Using multi-factor authentication offers several key benefits in terms of enhancing security:

Defence Against Identity Theft

Malicious actors perpetuate identity theft for financial gains, to steal sensitive data, and to defraud your contacts. With MFA, you can reduce the risk of malicious actors gaining access to your account even if your password is compromised.

Mitigation Against Phishing Attacks

Phishing attacks are on the rise and it is responsible for most of the data breaches that occur in the digital space. MFA does not stop the delivery of phishing emails but it protects naive users that fall victim to phishing and compromises their credentials by adding an extra layer of security against unauthorised access to their accounts.

Securing Remote Access

With the rise of remote/hybrid work environments, employees access company resources from different locations and devices without the organisation’s control over their network or environment. In this case, MFA can be deployed to safeguard business assets.

Compliance

MFA keeps you compliant with regulatory guidelines and standards protecting like GDPR, HIPAA, and PCI DSS and helps you avoid fines and lawsuits.

Brute Force Attacks

These attacks involve hackers using automated tools that systematically test different combinations of passwords in an attempt to gain access to an account or system. MFA makes it much more difficult for attackers to gain access through brute-force attacks.

Best Practices for MFA

• Independence of Authentication Mechanisms: A factor should be independent of another factor such that the compromise of one factor should not affect the confidentiality of another factor.
• Out of band Authentication: Entering credentials on the same device that receives the authentication factors is not advised, it should be conveyed through different channels.
• Password Length and Usage:?Passwords should be difficult to guess, and the same passwords should not be used across accounts to avoid compromise from attacks. It should be at least 8-12 characters with uppercase letters, lowercase letters, symbols, and numbers.
• Sharing Credentials: Avoid sharing credentials and protect the factors you possess from replication or possession from unauthorised users.
• Enforce MFA:?Implement and enforce Multi-factor authentication across your organization. Create policies for the usage of MFA in your organisation and educate them on the importance of it.
• Use Inherent Factors: Wherever possible, use the “something you are” factor (biometrics). It is the most reliable method because it is still difficult for attackers to crack.?

Every individual, small business, or large corporation must imbibe MFA across accounts and devices to reduce the risk of data breach and identity theft. MFA can be exploited just like any other technology, but it is much more secure than just a username and password.