Multi-Factor Authentication. Two-Factor Authentication. One-Time Password.
3 Names. 1 Security necessity.
Multi-Factor Authentication (MFA) refers to an approach to securing accounts by requiring multiple forms of authentication or identification from a user to verify their login credentials.
MFA combines any two of these three things:
- Something the user knows --> Username and Password
- Something the user has --> Authentication Code
- Something the user is --> Biometric Authentication
The ultimate goal of MFA is to keep hackers out by adding additional levels of security, preferably ones that are extremely difficult to breach.
According to Gemalto, a digital security firm in 2017, 2.6 billion records were lost, stolen or breached online, and based on research by IBM the average total cost of a data breach is 3.92 million globally, with a US average of 8.19 million. We live, work, and own businesses in the most expensive country to experience and recover from a data breach, so we should be doing everything in our power to avoid a disaster.
These statistics, and honestly terrifying numbers, are why MFA is so vital to the future security of your business.
So let's dive into the three different aspects of MFA.
Something the User Knows: Username & Password
At one time passwords were enough. Having a secure password that only you knew and that complied with company security standards was all you needed. Unfortunately that is no longer the case. As cybercriminals began to employ things like keylogging software, and phishing and pharming attacks, passwords became less and less effective. Don't get us wrong, well thought out, strong passwords are necessary and a good start, but according to a recent report, 81% of hacking-related breaches were accomplished using stolen or weak passwords, and even though employees know that reusing old passwords is a bad habit:
- 52% of users have the same password for different services
- 59% of users reuse the same passwords both at home and at work
- 70% of users reuse passwords for various work accounts
- 54% of users use five or fewer passwords in total
- 70% of users use passwords compromised within the last year
- 40% of users use passwords compromised within the last three years
See why we say passwords aren't cutting it anymore?
Based on these statistics and what we know about the sophistication of cybercriminals it's safe to say the idea of a secure password is essentially obsolete. This is why Multi-Factor Authentication brings in something the user has or something the user is.
Something the User Has: Authentication Codes
This secondary form of authentication includes anything the user physically has in their possession or has access to digitally with things like smart phones, at the time of the login attempt. There are a lot of different "possession security factors" available for your employees to use as an MFA resource.
A security token is a physical piece of hardware that your employees keep with them. Many of these tokens resemble a key fob or a USB key or device. Security tokens are pretty simple, they show you a code for the associated account that you then input when prompted. This code is changed at set time intervals and will not be the same for subsequent logins.
One-Time Password (OTP)
Today's OTPs are typically software based and require the user to have access to their phone or email. OTPs are automatically generated when a user attempts to login to an account and are texted or emailed to the user to input. Most OTPs you see are short unique numerical codes that are different for each login attempt and expire after a set period of time.
Authenticator applications require the user to have access to the app on their smartphone or desktop. They perform essentially the same as a One-Time Password. After setting up the app you can configure multiple accounts that you use the authenticator for. Each time you open the application it will give you a unique numerical value for each account registered and you will select the one you need at that time.
For example, say I use Duo and I have linked it to my Google account, Microsoft account, and LastPass account, but I only need a verification code for the LastPass account. When I open Duo it will give me a different code for each account but I will only be looking for the code assigned with LastPass. These codes typically expire in 60 seconds and are then regenerated.
Popular authenticator applications include:
- Google Authenticator
- LastPass Authenticator
- Microsoft Authenticator
As the majority of your employees tend to have access to their smartphones at all times, these authenticator apps can be a great and simple way to implement MFA.
While these security authentication methods are secure, they are still vulnerable and can be rendered useless if an attacker gains possession of the physical token/factor which is the exact reason why many are finding that the most secure way to implement MFA is by using a secondary identification that is really hard to replicate...the employee themselves.
Something the User Is: Biometric Authentication
Biometric authentication relies on the biological characteristics of the user as a second security factor to log them into their account. We've seen this most recently with smartphones and computers using facial recognition or fingerprint scanning, and it's making its way into more and more MFA systems.
The most common biometric security technologies include:
- Retinal Scanning: this uses an image showing the unique pattern of the individuals retinal blood vessels to verify their identity.
- Fingerprint Scanning: using the individuals unique fingerprint as a login credential.
- Facial Recognition: this utilizes 80 different points on the human face to determine an associated numerical code known as a faceprint.
- Voice Recognition: uses unique vocal characteristics, similar to retinas or fingerprints, to identify an individual.
It's not hard to see why biometric security technologies are being used whenever possible, as these types of secondary forms of identification are the hardest for cybercriminals to replicate.
Making the Transition
While it seems daunting to think about bringing MFA to your business, the reality is it's quite simple. Because it's already being used in so many different industries many business applications and services make rolling out MFA as simple as clicking a button. For example, to enable MFA for Google or Microsoft all it takes is one click from the account administrator and the system will walk you and your employees through the setup process. Check out twofactorauth.org to find out if applications and services you're already using have enabled MFA as an option for your accounts.
You may also be leery of how the transition will work for your employees, but there's a good chance they have already encountered MFA on their personal accounts. As an example, when I login to my TV provider application I first login with my username and password, and then am texted a code (a OTP) to use to complete the login attempt, and for my banking app I login on my phone using both my username and password and facial recognition. It's not as drastic a change as many believe, and if you're not sure where to start the process it's always a good idea to check with your IT team. They should leap at the chance to add more security measures, and if you don't have an IT team give us a call, we would love to help!
Follow up with us in a couple weeks for part two in our Multi-Factor Authentication series where we talk about the many types of threats MFA helps protect your data, employees, and customers from.