True multi-factor authentication: What is it?
The goal is to buy users enough time to change their passwords when they’ve been cracked or disclosed publicly.
When performing risk assessments, audits, and other services related to control validation, there is often some confusion that occurs when I mention multi-factor authentication (MFA).
This term has become somewhat of a buzzword in today’s cybersecurity culture. However, most people are not aware of what exactly this concept entails and how it should be implemented. In this article I will explain how it works and hopefully expand your knowledge on what exactly we are looking for to verify controls related to MFA.
In the past, the only forms of authentication required to prove our identity to software has been a username or user ID, and a password. As computers become faster and more powerful, the benefit provided by this form of verification wanes.
It takes less time to brute-force passwords than it used to, and that means attackers are able to gain access to more accounts in less time. MFA, also known as two-factor authentication (2FA), serves to reduce this risk.
Before I explain how MFA works, I need to outline all possible factors from which this process can be derived.
Something you know. This factor consists of information that a person has knowledge of and is used to access a secure system. The most common example is a standard password that accompanies a username to provide identification.
Something you have. This factor covers items that a user possesses that allows them access to a system. Forms of this include proximity badges, tokens, and even one-time pass codes. The latter is usually either sent via SMS or email, or generated by an authentication app.
Something you are. This factor includes all biometric authenticators, such as facial, iris, and fingerprint recognition. It involves traits that are inherent to the user themselves, and as such are among the hardest to replicate.
Somewhere you are. Geolocation factors can be used to verify identity by allowing users to only log in from certain devices in certain locations, or from certain countries.
Something you do. These factors include behavior-related items, such as actions undertaken by the user to prove their identity to the system. One example of this is the picture password feature that was available in Windows 8. This is the rarest form of authentication and one not seen often.
How it works
Now I want to explain exactly how MFA works. When logging into a website or application under normal circumstances, all you need is an email address or username and a password. This method is the simplest but can often be unsecure. It is extremely easy to obtain someone’s email address, and with users creating passwords that only meet minimum requirements, it doesn’t take much effort for an attacker to break in.
Security awareness training has been implemented in a lot of organizations in an effort to reduce this risk, but it only goes so far as users are still allowed to choose the path of least resistance to performing their jobs.
Once you add a second factor, however, the risk of unauthorized access to systems reduces significantly. Because it now takes a second factor to log in, even if an attacker steals your password, they still cannot log in without the second form of authentication.
One thing to note is that this method is not foolproof; there are risks to alternative methods of authentication just as there are to passwords within the “something you know” category. The goal of MFA is not to replace the need for secure passwords, but to buy the user enough time once their password has been cracked or disclosed publicly to change it.
The most common example of MFA is the use of a password and a six-digit security code that is sent to you via email or text message. Another way this code is generated is through a third-party authentication application, such as Google Authenticator or Authy.
These codes are unique and generated every 30 seconds, so even if an attacker also got access to one of your codes along with their password, they would only have 30 seconds to enter it in order to assume control of your account.
One misconception I wanted to address is that of security questions. Oftentimes when performing audits, my clients will provide evidence of risk-based security questions that are used in addition to a password in order to verify the authenticity of their consumers. While this can be helpful, it does not satisfy the requirements of MFA or 2FA.
MFA or 2FA requires that the methods used be in two different categories. As a result, because security questions also fall into the “something you know” category the same as passwords, it does not provide the same level of additional security as another factor would.
If an attacker is able to hack into a database and steal all of the listed passwords, he will also be able to steal all of the listed security question answers, which renders the purpose of the security questions moot. All of the other factors exist outside of an organization’s database where passwords are stored, thus limiting an attacker’s capabilities following a data breach.
MFA is slowly becoming mainstream, but some organizations have yet to adopt it. It may take a little bit more effort to sign in, but a little goes a long way and this configuration will allow users to exponentially enhance the security of their accounts.