Multifactor Authentication (MFA): When More Passwords Aren’t Enough

?Takeaway: Multifactor authentication (MFA) forces users to provide multiple kinds of verification – not just different versions of the same thing. And this makes a system much more hacker-proof than simply asking for more passwords. So, try to find apps that use basic MFA principles in their security setup.???

Multifactor authentication (MFA) adds valuable layers of protection to online services.?

Multifactor authentication (MFA) is a way of putting data and services behind multiple layers of protection. It forces users to verify their identity via two or more credentials (e.g., a password and a fingerprint) – making it significantly harder for hackers to crack the system. So, stealing your wallet or breaking into a password vault won’t be enough because they’ll also likely need your phone (for a security code) or a biometric security element (e.g., a thumbprint). And the same goes for social-engineering attacks like phishing. Inevitably, intruders will need more credentials than they can get from a single hack.???

MFA works by tapping into multiple parts of your identity.?

MFA doesn’t just ask for random bits of information. Instead, it tests specific aspects of your identity. Usually, that means asking for something you know (e.g., a password, PIN, pattern code, or security question), something you have (e.g., a smart card, mobile token, Bluetooth proximity), and/or something biometric (e.g., fingerprints, voice samples, facial recognition, etc.). So it might be easy for someone to get at one of these elements, but two or three? Unlikely.??

Using more than one factor is important because passwords are beatable.

Passwords are great, but they’re not foolproof – mainly because they’re based on information someone else might know or guess. And even if they can’t guess it, they can use password-cracking tools to cycle through thousands of permutations in minutes and brute-force-hack your password. Alternatively, they can trick you into sharing your password, or even stumble upon it if you get careless (e.g., you write your password on a note stuck onto your computer screen).???

That’s why simply adding more passwords isn’t enough, either.

It’s important not to confuse multi-factor authentication with multi-step authentication. With multistep authentication, you’re dealing with a system designed to be entered in stages. So, you’ll have multiple passwords, for example, each of which takes you further into the system, allowing you access to more information. The trouble here is that we’re still working with passwords and their limitations. It might take longer for criminals to hack multiple passwords, but it’s the same process. They’ll still enter your system, although it might take longer. In contrast, MFA forces users to provide two types of different information. So, intruders might be able to brute-force-hack your password, but they’ll have to find another way of guessing/accessing your randomly generated security PIN (which will reset itself in minutes). Crucially, they’ll need both pieces of data simultaneously.???

Note that the best systems require authentication and authorization.?

It’s worth pointing out that some systems separate authentication from authorization. So, a password might let you into a system, but not let you do anything you want. Instead, there could be a separate authorization process before you can, say, alter system data. For example, if you provide a password, your online bank might let you check your account balance, pay bills, etc. But to change profile information, you’ll likely need authorization. So just because you’ve been authenticated it doesn’t mean you’ve been authorized. ?

The simplest data protection solution is two-factor authentication.?

With two-factor authentication (2FA), you pair a randomly generated token – e.g., a one-time password (OTP) – with a regular password. Using a second factor (i.e., a different type of data) makes hacking more complicated while keeping data protection simple. That’s because you’ll only need an OTP generator like Google Authenticator to make the system work. And this simplicity is essential because users tend to get impatient with complex security – even if they’re better off for it. Still, somebody can hack your authenticator app, steal your phone, or intercept an OTP in transit. So, 2FA is excellent, but ideally, you’d want more factors. ????

Whatever the factor count, it’s vital to keep things decentralized.

These layers of protection work best when the process is decentralized. That means signing in via your phone, for example, so that the verification happens on your device rather than on a central database. This way, hackers would have to break into many individual phones (rather than a single website) to meddle with sign-ins. And since password details are so well distributed, hackers have less incentive to try the hack in the first place. Also, by using phones for authentication, we’re tapping into their preexisting authentication technology (e.g., fingerprint sensors) – a way more efficient use of resources. So, app developers won’t have to blow their budget trying to duplicate your phone’s tech just to offer a verification feature.?

Where possible, it’s best to keep the process ‘dynamic,’ too.??

Dynamic authentication works by matching the required verification data to the context. So, the system continually monitors all the data available and asks for whatever is most relevant. For instance, the system might match the transaction’s IP address with the IP address reported by your browser – and so it might trust your phone – but it might want to verify that it’s you using it. So it’ll ask for a thumbprint. In a different situation, though, it might ask for an OTP instead – if that’s the most relevant verification at the time. The system continually assesses risk and asks for whatever information minimizes that risk.?

So, what can we learn from all this? Find and use apps built using MFA principles – even if they don’t have full-fledged MFA.?

All the best applications have two-factor authentication and in-app authorization. For instance, eDiscovery applications have user permissions that allow some users to view data but not edit it, others to edit but not delete it, and so on. (This is in addition to sign-in passwords and Google Authenticator data.) So, the next time you evaluate a new app, consider how many of these authentication best practices it uses – especially if you’re handing over sensitive or privileged information. And remember, simply adding more passwords is rarely the way to better security.?