Over the years, Multi-factor Authentication (MFA) — also referred to as second-factor, or 2FA, where only one additional factor is used — has emerged as one of the most effective strategies for strengthening the security of the user authentication processes. MFA goes beyond relying on a single method of identity verification in order to provide an additional layer of defence.
MFA is an effective way of meeting the core requirements of any authentication system, which include:
- Confidentiality: By requiring multiple forms of verification, MFA ensures that even if one factor is compromised (e.g., a password is stolen), the attacker will still not have access to the system without the other factors.
- Integrity: MFA strengthens the system’s ability to confirm that the person attempting to authenticate is indeed who they claim to be.
- Availability: Through a combination of factors (something you know, something you are, and something you own), MFA ensures that users can still access systems securely even if one method fails or is unavailable.
- Scalability: MFA is flexible and can be adjusted based on the sensitivity of the application or system. For example, more critical systems may require stricter authentication protocols than less security-sensitive ones.
What exactly is a Factor?
In essence, “factor” is the term given to any mechanism for user authentication, and a security process that requires a user to provide more than one authentication factor — ideally where the (additional) factors are also of a different form — is the fundamental premise of MFA. Using MFA ensures that even if one factor is compromised, an attacker would still need to bypass additional barriers to achieve successful authentication.
Something You Know
The first of the three forms of authentication factor is the most traditional and still the most widely used as the defacto first-factor login mechanism. With a knowledge-based factor, the user must provide something that only they should know — such as a Password or a PIN — either directly or indirectly via some Social or Federated process.
The main purpose here is to ensure that the individual attempting to log in is familiar with a secret piece of information only they should know. Since the legitimate user is the only one who should know the secret, it ensures that unauthorized individuals cannot easily pretend to be that legitimate user.
A knowledge-based factor is typically something easy to remember and understand, which in turn makes the user experience as straightforward and frictionless as possible. However, this means it’s also prone to risk, such as Password Theft, Social Engineering, Brute Force, or forms of Phishing attack.
Something You Own
The next form of factor requires the user to provide something physical or tangible that they possess. This verifies that the user has access to a specific device or item, thus adding another layer of security. In this case, even if a malicious actor obtains a knowledge-based factor (e.g., a Password), they would still need physical access to the possession-based factor to pass legitimate authentication.
When it comes to the “something you own” category, arguably the most common form of device used today is the Smartphone, which can be used for receiving an OTP via SMS and also for Push Notifications. Hardware Tokens also fit into this category, being physical devices that generate one-time authentication codes (OTPs) at fixed intervals, and so too do Smartcards, and/or USB Security Key devices like YubiKeys, that must be inserted into a USB port or tapped in proximity to an NFC-enabled device.
Whilst not strictly physical per se, Authenticator Apps such as Google Authenticator or Microsoft Authenticator, which are used in conjunction with smart devices, also fit into this category and generate unique authentication codes via the timed one-time passwords (TOTP) mechanism.
The strength of a possession-based factor lies in the premise that it’s much harder to steal or replicate physical items, thus increasing the level of confidence that the person requesting authenticated access is actually in possession of the physical device. This makes remote/Phishing-based attacks much more difficult as it’s harder to steal, replicate, or even emulate the physical item; a malicious actor would need access to the device itself, making attacks significantly more challenging.
However, with a possession-based factor, the physical device is vulnerable to loss or theft, which could lead to unauthorized access if that item is not properly secured or recovered.
Something You Are
The third factor is based on something intrinsic to the user —typically a unique physical characteristic such as a fingerprint or a facial scan.
Biometric authentication methods are increasingly being integrated as part of user authentication due to their uniqueness and their difficulty to replicate — as well as their near-ubiquitous availability through modern smartphone technology. In today’s digital economy, most users possess one or more smartphone devices, so many find Biometric authentication second nature as well as more convenient than remembering complex passwords or carrying some other physical technology.
Biometric factors are tied to individual traits that are extremely difficult to replicate, providing a strong level of assurance in verifying identity. Since biometric data is inherently unique to each person, it provides a strong layer of security that is difficult for attackers to bypass. However, the technology is not foolproof and can still be susceptible to spoofing techniques (e.g., using photographic simulations or artificial fingerprints).
The storage of biometric data also raises concerns when it comes to user privacy and potential data breaches. Passkeys and the WebAuthn credential technology on which they’re based neatly address this, as sensitive biological data never needs to be stored outside of the device used to verify its authenticity.
Factor Augmentation
In addition, supplementary considerations are sometimes used to increase security even further. These can include:
- Location-Based Processing: This involves verifying a user’s location through their IP address, GPS data, or other location-tracking technologies. If the authentication request comes from an unusual or unauthorized location, the system may require additional verification.
- Time-Based Processing: Authentication systems can enforce login restrictions based on time. For example, access might only be granted during specific hours or from certain regions, limiting the window of opportunity for attackers.
- Behavioral Analytics: This method uses machine learning and artificial intelligence to monitor how users interact with a system. Unusual or anomalous behaviour (such as logging in from an unfamiliar device or accessing data at odd times) might trigger additional authentication requests.
Leave a Reply