Multi-factor Authentication. What is it, and why should you use it?
What is Multi-factor Authentication?
Typically when we think of authentication, we think of the task of logging on to our computer. This is usually completed by entering our username and password to gain access to a system. An authentication factor is a category of credential used for identity verification. There are three main categories in which authentication can fall. What you know, what you have, and what you are. There are other factors that can be considered but for this article will remain focused on these three.
Some examples of what you know, sometimes called knowledge factors, are user names or IDs, passwords, PINs and the answers to secret questions. Examples of what you have, also known as possession factors, can be anything a user must have in their possession in order to log in, such as a security token, a key fob, an employee ID card or a phone’s SIM card. What you are refers to biometric factors such as retina scans, iris scans, fingerprint scans, facial recognition, and voice recognition. There are other examples of authentication, but that is not the scope of this article.
Multi-factor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.
Some examples of using multi-factor authentication can be seen in spy movies, where an agent walks up to a secured door, and they need to enter a code on a keypad. If the correct number is entered, then a second device will come out that the agent must use to scan their retinas. If the keyed entry and the retina scan match, then the door to the vault or secret lab will open. This scenario uses the “what you know” method, the code for the keypad, and the “what you are” method, the biometric scan of their retina. Though this may seem far-fetched, it is a real process used in certain institutions.
A more common example that people use in everyday life is one that they may not realize is a process of MFA. This is using a bank card at an ATM machine. The first layer of authentication that is used in this type of transaction is the “what you have” method. In this case, the user has a bank card. The second authentication factor is “what you know”, referring to the code that is entered on the keypad.
Why should you use multi-factor authentication in your business?
Identity theft is an easy, low-risk, high-reward type of crime and a threat to all businesses. It is the fastest-growing type of crime and is now more profitable than drug-related crimes.
Weak or stolen user credentials are hackers' weapon of choice, used in 95 percent of all Web application attacks.
From 2013 to 2014, the number of successful breaches went up by 27.5 percent, and has increased every year. The malicious actors are winning the war.
Headlines tend to belong to the household-name companies, but they are not the only companies being targeted. Of all targeted attacks, 31 percent are aimed at businesses with fewer than 250 employees.
Anti-virus systems and advanced firewalls are necessary security elements, as are vulnerability tests. Without user authentication, though, the front door is wide open to intruders.
Password theft is constantly evolving as hackers employ methods like keylogging, phishing, and pharming.
Cyber criminals do more than merely steal data. Often they destroy data, change programs or services, or use servers to transmit propaganda, spam, or malicious code.
Benefits of Multi-factor Authentication.
While the obvious reason for multi-factor authentication is that it adds additional layers of security there are other benefits as well. Almost every organization has some level of local, state, and/or federal compliance to which they must adhere. Many of these regulations specify that organizations must utilize MFA under certain circumstances, like when accessing particular types of data or connecting from certain locations. There is pressure for organizations to maintain compliance in order to mitigate audit findings and avoid potential fines and other penalties. Being able to achieve the necessary compliance requirements specific to an organization which in turn mitigate audit findings and avoiding potential fines. And finally, being able to remove the burden of passwords by replacing them with alternatives has the potential to increase productivity and bring a better usability experience due to the increased flexibility of factor types. In the right environment and situation, there could even be an opportunity for a potential reduction in operational costs.
Each organization is different, and therefore, will have unique needs. While the right MFA solution should strike a balance between added security and user convenience, there’s no magic, one-size-fits-all solution that works for every organization. Thus, it’s crucial that you thoroughly understand your organization’s motivations and needs for multi factor authentication, as well as MFA’s challenges and benefits to ensure you select a solution that’s right for your organization.