Multi-factor authentication (MFA) refers to using two or more independent credentials to prove the identity of a user. It decreases the likelihood of accounts being stolen as it increases the difficulty of authentication. Many applications and accounts use protections based upon the following three stages:
- Identification – how a user is identified, typically through a username.
- Authentication – how a user proves their identity, typically through something they know, something they own, or something they are.
- Authorisation – the set of activities that the user is allowed to perform.
Multi-factor authentication focuses on increasing the strength of the authentication stage, which can be verified by the following factors: Something the user knows, something the user owns, or something the user is.
Something the User Knows
This may be a password or a PIN that the user remembers. It can also be the answer to a ‘secret’ question, such as, “What is your father’s middle name?”
Something the User Owns
This may be a mobile phone number, a swipe card or fob, a bank card, a USB key generator, or a token generator.
Something the User is
This is usually something that is biometric in nature, such as a fingerprint, retinal image, or voice.
So Why Use Multi-factor Authentication?
Combining two different factors of authentication increases the assurance of a legitimate user’s request for access as they have to declare multiple unique identifiers. This makes it harder for an attacker to authenticate as a legitimate user as they must have access to more information and/or items owned by the user.
In May this year, Google posted statistics (read here) based on multi-factor authentication, where they found “On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.”
An article posted by Alex Weinert (read here), the Group Program Manager for Identity Security and Protection at Microsoft, puts forward that “… your account is more than 99.9% less likely to be compromised if you use MFA.” In the article, Alex encourages everyone to go turn on MFA, stating that once an attacker gains access to your password, “…the attacker must try logging in with the compromised password, and at that point MFA is your safeguard”.
Alcorn Group recommends that administrative actions should always pass through at least one multi-factor authentication process. At a minimum, multi-factor authentication should be implemented as part of remote access to Internet accessible systems.