Introduction to Multi-Factor Authentication
Multi-factor authentication (MFA) is the name for an authentication method that relies on more than one factor when determining whether to grant access to a computer user. It has become an increasingly important means of proving identity and securing information.
From the moment the first treasure was amassed, limiting access to it became a priority. If buried in the ground, knowledge of the location was critical. If a locked chest or storage room were involved, a key was required. If guards were posted, recognition of the rightful owner was vital.
Today data is the great treasure that must be secured, but the means of protecting it still often involve these elemental factors: knowledge, possession and inherence. In other words, access is granted or denied depending on what someone knows, what someone has or what someone uniquely is.
- Knowledge factors
- Possession factors
- Inherence factors
- Location factors
Modern knowledge factors include user names or IDs, passwords, PINs, and the answers to security questions. Possession factors are such things as bank or ID cards, security tokens, one-time passwords (OTP), and, increasingly, smart phones. Inherence factors are rapidly expanding with developments in biometrics technology. In addition to fingerprints, these factors now include facial and voice recognition, retina scans, even an individual’s typing patterns on a keyboard. Location factors refer to the user’s physical location at the time of authentication. In general these factors do not require any user input but are determined automatically for example by looking up IP addresses.
Single-factor authentication has obvious limitations. Passwords, for example, are often used as a virtual one-factor authorization method but passwords are easily forgotten, easily stolen, and sometimes easily hacked. Consequently, even in the consumer world, there has been a growing push toward Two-factor Authentication (2FA), also sometimes called Two-step Verification or Two-step Authentication. Strictly speaking 2FA is a subset of MFA and the simplest form of a multi-factor strategy.
- Two-factor Authentication
- Two-step Verification
- Two-step Authentication
In Two-factor Authentication, a second factor, or step, is added to the first to increase the overall level of security. This second factor can be as simple as having a bank card (a possession factor) to be used in tandem with a password or PIN (a knowledge factor). More complicated two-factor scenarios now often involve the use of smartphones, SMS messages and OTP apps.
A basic principle of good MFA practice is to vary the categories of factors involved. A system built on passwords and security questions (both knowledge factors) is generally less secure than one that employs passwords and SMS messages delivered over your phone. Another general principle is that users should not be able to go from one factor to two, especially if it is critical to ensure that the users are who they claim to be. If, for example, a user signs up for an email account, creates a password and username and then adds a phone number, this is essentially going from one factor to two. The addition or “bootstrapping” of the second factor may provide the user with some additional security, but it does not increase confidence in his or her identity.
Identity can be much better asserted by going from two factors to two. In Bank ID systems, for example, the user must appear at a bank with some form of approved ID. The user then receives a device and a PIN. The device, when accessed by the PIN, can be used to generate codes that permit the user to receive a Bank ID. This in turn can be used to access the user’s bank account or to sign up for things that involve additional multi-factors. In this example, the additional factors were not bootstrapped from one factor since the initial assertion of identity involved multiple factors.
There are two primary perspectives on MFA depending on 1) whether the focus is on protecting the user and the user’s data, or 2) it is on ensuring that the user’s identity remains consistent over time; that is, that the user attempting to gain access is the same user that gained access the last time.
In the email example above, the users may be primarily interested in protecting their identity and their data and may feel that going from one factor to two provides them with sufficient security. Banks, on the other hand, are necessarily interested in both protecting user data and having a high degree of confidence in user identity over time, and so have good reason to insist on MFA that goes from two factors to two.
Even though the focus of these two perspectives on MFA is different, creating a robust MFA system is generally in everyone’s interest, and one of the first requirements of a such a system is that it conform to the principle of going from two factors to two. Moreover, ever- greater security requirements demand a more secure approach than just two factors can usually provide.
The Curity Identity Server has the power and flexibility to create a truly robust multi-factor authentication flow capable of producing complex layered defenses to meet an organization’s specific security needs.