Authentication: What is Multi-Factor?
Friday, April 21, 2017
Not Another One…
"Now Yahoo? Guess I have to change my password again."
In the current online security climate, it seems like an almost daily occurrence to see a major website notifying users to change their passwords after a security incident. Breaches can be quite disconcerting, especially if you, like most internet users, utilize a site or service that stores personal or confidential information. Secure, accurate, and quick authentication is more important than ever to help protect the privacy of both yourself and your customers.
Fortunately, there is an increasingly-implemented strategy that helps combat such data and identity theft by tightening security requirements. This strategy is called multi-factor authentication (also known as MFA).
What is Multi-Factor Authentication, and Why is it so Important?
Multi-factor authentication is a term that describes access control where a user must provide more than one authentication factor to prove they are an authorized user. “But wait just a minute,” you might ask, “what’s an authentication factor?”
Authentication factors are the items used to validate a user’s identity. These factors typically fall into one of three (3) categories:
- Possession Factors (“Something the user has”): A possession factor is an item only the user has in their possession or owns. Items in this category are usually a physical object like a USB token, mobile phone, physical key, or swipe card. (See image below.)
- Knowledge Factors (“Something the user knows”): Classified under the knowledge category is information that a user knows and typically memorizes. The most common knowledge factors (and authentication factors in general) are usernames and passwords. Other methods that fall under the knowledge category are security questions and answers, secret passphrases, PIN numbers, and secret images or other memory-based methods.
- Inherence Factors (“Something the user is”): Typically biometric in nature, factors under the Inherence category will be something uniquely inherent to the user. Examples of inherence factors might include scanning a user’s fingerprint(s), retina(s), facial characteristics, or voice recognition details.
Example of an RSA code-generating token (Possession Factor):
Multi-factor authentication provides additional confidence that a user is who they claim to be (i.e. authenticated). Two-factor authentication (2FA) is a form of multi-factor authentication, which simply requires two factors to authenticate a user. Multi-factor authentication can include 2 or more factors. Obviously, the more factors a user must provide to prove their identity, the harder it is for malicious attackers to achieve unauthorized system access. For this reason, many sites and services that deal with critical/confidential data utilize multi-factor authentication.
The multi-factor authentication process:
How do I properly implement or utilize multi-factor authentication?
A common misconception regarding multi-factor authentication involves what is called multi-layer authentication. Multi-layer authentication indicates access control where a user is required to provide multiple authentication components, typically in the same factor category. Authenticating with multiple components of the same factor does not classify as multi-factor authentication, which requires authentication via methods in multiple factor categories.
A common example of multi-layer authentication would be a login page requiring a username (knowledge factor), password (knowledge factor), and security question (knowledge factor). Since these all fall under the same category, this login page is utilizing multi-layer (but not multi-factor) authentication. To properly implement multi-factor authentication, a website/service must require the user to authenticate under more than one of the three (3) factor categories (knowledge, possession, or inherence).
Keeping all the above in mind, login security will only become increasingly significant in the foreseeable future. Users should take all necessary precautions to ensure they utilize security controls such as multi-factor authentication whenever possible. VPN and other remote connections to your network are prime candidates for a multi-factor authentication control and are now considered a best-practice. If a website allows you to implement two-factor authentication (using a password + token/text code), strongly consider employing the additional authentication measures to protect your identity, information, or money.
If your institution provides a service that may contain or transmit confidential information (account numbers, money, PII, etc.), it would be wise to seriously consider implementing true multi-factor authentication to ensure the privacy of your customers.
If you are looking for some additional details about passwords or password management, the SBS Institute has developed a role-based, financial institution-specific certification program devoted to building a better Information Security Program called the Certified Banking Security Manager (CBSM).
Written by: Dan Klosterman
Information Security Consultant- SBS CyberSecurity
Categories: SBS Blog