Multi-Factor Authentication and How it Can Protect Your Business
Multi-factor authentication (MFA) describes a process wherein a computer user is granted access only after successfully presenting two or more pieces of “evidence” to an “authentication mechanism” – in other words, it acts like a security system that requires more than one method of authentication, as demanded by independent categories of credentials, to verify a user’s identity for a login or other transaction.
The aforementioned independent credentials boil down to three elements: What the user knows (a password), what the user has (a security token) and what the user is (biometric verification). The goal here is to create a multi-layered defense and make it significantly more difficult for an unauthorized individual or party to gain access to a target, whether it’s a physical location, computing device, database or network. What’s most important to understand in all of this is that should one factor become compromised or “broken,” the attacker is still faced with additional barriers to breach before ever breaking into the primary target.
In this blog we’re going to cover the following aspects regarding multi-factor authentication:
- How multi-factor authentication works
- The types of authentication packages and solutions that exist
- The limitations associated with MFA
- How MFA can protect your business
One of the biggest challenges with traditional user ID and password login algorithms is the need to maintain a password database; this is because if the database is captured – whether encrypted or not – it provides an attacker with a source that verifies his/her guesses at speeds limited only by his/her hardware resources. Put succinctly, a captured password database will fail, given enough time to eat away at it.
Here at DMS iTech, we have seen it with our own eyes: So-called “brute force attacks” have become a genuine threat as processing speeds of CPUs have increased, while developments like GPGPU password cracking and “rainbow tables” have provided similar highways of access for attackers. While these approaches are beyond the scope of this article, GPGPU cracking can, for example, produce more than a staggering 500,000,000 passwords per second, while rainbow tables can be used to crack 14-character alphanumeric passwords in about 160 seconds.
You should, at this point, be getting the feeling that this is all very dangerous.
How it Works
Though we touched on this in the opening paragraphs, the way in which multi-factor authentication is used (i.e. how it works) is an important enough topic as to warrant its own section, if only to ram home the point that credential theft is a serious concern. More and more reputable websites are fighting back against this threat by enabling users to enable multi-factor authentication, usually in the form of 2FA (two factors of authentication), with these sites usually using “knowledge” and “possession” evidence (or “something you know” and “something you have”).
Meanwhile, a more secure 2FA method used by a number of reputable MFA applications (including Authy, Duo and Google Authenticator; we’ll get to some of these in a bit) creates a “seed” key on your mobile phone, created by scanning a QR code which is then encrypted with a time stamp that allows the provider and your device to rotate keys at a given interval (without sharing them over insecure networks). These are referred to as time-based one-time passwords (TOTP) and provide adequate protection against a plethora of different attack vectors, relying on your phone’s hardware rather than its ability to receive SMS messages.
Types of Authentication Packages and Solutions Available
There are a myriad of authentication packages and solutions out there on the market, ranging from built-in options from Microsoft and third-party options from Duo to SMS/text, app/software, token and RSA key approaches.
By installing multi-factor authentication software, you will be well on your way to improving security across your company by requiring additional authentication measures for access to sensitive information, systems or applications. Or, put it this way: Rather than a simple username and password prompt, users will be prompted to provide SMS code, biometric verification or email confirmation actions to properly identify themselves.
The following represent the more popular ways of entering the world of multi-factor authentication.
- Duo Security – Duo’s Trusted Access platform protects users, data and applications from malicious hackers and data breaches by addressing security threats before they become a problem.
- Microsoft Azure MFA – This option from Microsoft helps safeguard access to data and applications while maintaining user simplicity. What’s more, it provides additional security by demanding a second form of authentication and delivers powerful authentication via a range of easy-to-use authentication methods.
- SMS/Text – Despite some flaws, SMS as an approach to MFA is an easy way to improve security for a large user base; SMS-based MFA can help reduce complexity since most people are familiar with text messaging, and it doesn’t require the user to download and set-up an additional app.
- Apps/Software – Using a software or app-based two-factor authentication on a device you own is a great way to protect your account, and far better than simply using SMS; any service that supports the standard 2FA approach will work with apps such as Google Authenticator, LastPass Authenticator, Microsoft Authenticator, Authy, Yubico and Titan Security Key.
- Token-Based Authentication – In this approach, a security technique authenticates the users who attempt to log into a server, network or some other secure system using a security “token” provided by the server. The service then validates the security token and processes the user request.
- RSA Key-Based Authentication – Public key authentication provides cryptographic strength that even very long passwords can’t offer; other usability benefits include allowing users to implement single sign-on across the SSH servers they connect to and automated passwordless login, a key enabler for the countless secure automation processes that execute within enterprise networks globally.
Limitations Associated with MFA
While some may be lazy or come up with unoriginal, weak passwords that are easy to break, that doesn’t mean strong passwords are instantly indestructible – in fact, they can be intercepted, keylogged or leaked in large data breaches.
As with anything, issues can arise, and the following are the three big limitations/disadvantages of multi-factor authentication.
- Factors Can Get Lost – In situations wherein there is a loss of power or your phone is damaged by water, you won’t be able to get your SMS codes as the second authentication factor; relying on a USB key as second factor is risky, as well.
- False Security – You can follow two-factor authentication protocols and still have your account breached.
- It Can Be Turned Against Users – While two-factor authentication is intended to keep hackers out of your account, the opposite can also occur: Hackers can reconfigure or set up two-factor authentication to keep you out of your own accounts.
How Can MFA Protect Your Business?
Multi-factor authentication can play a crucial role in your overall cybersecurity strategy, providing a more complex security method for login because it requires additional verification. MFA is all about making it more difficult for hackers to access your company’s sensitive data, email addresses, files, company credit card numbers, sign-in information and even personal data.
The scope of what this all covers is truly too extensive to showcase in one blog post, but if you have any additional questions about multi-factor authentication, feel free to contact DMS iTech, your IT specialists dedicated to protecting you well into the future.