Why multi-factor authentication must become the minimum standard

In far too many cases, all that stands between a hacker and their goal is a username and password. Two pieces of information that are often much too easy to obtain. For any organisation with an internet-facing system that only requires a username and password to access, a security breach is almost an inevitability. Disagree? Let's look at the facts.

The 2019 Verizon Data Breach Investigations Report (DBIR) is the result of the analysis of 41,686 security incidents, with data provided by 67 different organisations. Amongst many other useful insights, this report showed that 80% of hacking-related security breaches involved either default, weak or stolen user credentials. 80% is only a 1% reduction compared to the 2017 release of the DBIR.

The website "haveibeenpwned.com" created by Troy Hunt, provides anyone with the ability to easily check if their user credentials exist in a major database breach, or if they appear on a publicly accessible website (often known as a "paste"). The site currently holds details from:

• 426 large database breaches
• 9,320,366,166 compromised user accounts
• 108,688 pastes
• 132,910,978 paste accounts

Bear in mind that there is no such thing as an exhaustive list of all compromised user credentials. The numbers above are large, but inevitably they fall far short of the reality. 

So I think it's fair to say that relying solely on a username and password to protect systems and their valuable data is not a viable security strategy. The practical solution to this problem is to make the method of authentication stronger, which is where multi-factor authentication - sometimes described as "two-factor" authentication - comes in to play.

As mentioned, a username and a password are both just information; something that you know.  Sometimes people use "security questions" to try and add another layer of security such as "what is your dog's name?" or "where were you born?". These security questions do not provide extra protection. The answers are still just information which could be obtained by fraud, malware, phishing or any of a dozen other methods. To add another factor of authentication, you would need to add:

• Something you are - a biometric such as a fingerprint, or retina scan
• Something you have - a smartcard or secure token
• Somewhere you are - company headquarters or an authorised branch office

By requiring a username and password plus one of the authentication methods above, the security of the login process is far more robust. It's no longer enough for a hacker to obtain the password; they must also be able to satisfy an additional factor of authentication which is often far more challenging to do. 

The most prevalent second factor of authentication takes the form of a mobile app on a smartphone. In this scenario, when a user tries to authenticate with a service, one of two things will happen. Either a push notification will be sent to the registered mobile app, asking the user if they wish to permit the sign-in. Alternatively, the service will request that the user type in a "one-time password" (OTP) generated by the mobile app. Whichever authentication method is required, it's clear that the user cannot log in without their smartphone present. The value of the associated username and password to any hacker is now much reduced. This particular method of multi-factor authentication is both cheap to implement and easy to maintain. Most popular web services offer it entirely for free, including major platforms like Google, Microsoft, Amazon, Salesforce & Xero. The only requirement is for each user to have a smartphone, which approximately 45.12% of the world's population already do.

Don't get me wrong - classic password security still applies. Passwords should be both long and difficult to guess, and the existing best-practice guidance on password security still applies. Multi-factor authentication is not an excuse for everyone to go back to using "password123" or "letmein". It does, however, provide risk mitigation for minimal investment. On that basis, it is my opinion that any system that requires authentication, which is accessible over the internet, must have multi-factor authentication as standard.