Posted on September 20, 2017 by Mathijs Brand
What is Multi-Factor Authentication?
Second factor (2FA) or Multi-Factor Authentication (MFA) means using 2 or more factors for authenticating a user. In a typical login situation you have a username and password. This is a 1 factor authentication method, because it uses only one of the following authentication factors:
- Something you know - e.g. your username, password or PIN.
- Something you have - e.g. an e-identifier, a mobile phone or a physical key.
- Something you are - e.g. your face, eyes, voice or fingerprint.
- Time and Location factors.
Multi-Factor means using two or more of the above. It's even safer when you need multiple networks (out of band) to break in. In any case, using only 1 factor provides less security than 2 or more. In the case of passwords, you just need the username/password combination ( hunter2? ) and you're in. That's why passwords are not even safe when you are using secure phrases and a password manager which most consumers do not do. When a company that stores the passwords is hacked, you can be hacked. Have you been pwned is a great website showing if your email address was part of any data breaches. Try it out. Odds are that you have been pwned and need to make sure this username/password combination is not available anywhere.
So why is the time to move to Multi-Factor Authentication now?
It comes down to costs versus benefits. Financial instituations, insurers, employee portals and governments have often added a second factor to their login, because of the return on investment. Reasons on the benefit side: users expect easy access to their data in a convenient way. One-factor solutions like passwords don't work so well on mobile devices. Passwords are a hassle. Reasons on the costs side were stronger and more easy to argue. Data breaches are growing exponentially, while hacking tools are becoming cheaper, increasing your costs.
But not only the amount of breaches and attacks grow. The marketing, legal and administrative costs when a breach actually happens are growing as well when GDPR comes into play with fines going up to 4% of annual global turnover. But then you're not even taking the legal costs into account. Many think the EU fines will be dwarfed by the class action lawsuits that will come, because consumers are getting the power and ownership rights of the data. All that is needed on May 2018 is a few dedicated (European) consumers looking for holes and going against you.
Because passwords are not the solution...
Which solution will replace the default? That's not all too clear to most. Let's look at some of the options that may be the way forward...
An SMS based login
SMS as a second factor for authentication is better than just using passwords. All you need is your phone and it doesn't matter how old the phone is. Unfortunately SMS is widely considered not to be strong enough anymore, because you can easily spoof a phone number. So you can't really be sure someone actually has the phone, thus reducing the extra factor.
Spoofing has become easier. Not the way forward.
Hardware tokens exist with biometrics and without, with a password/pincode to remember and without. You need a specific device. You often need to remember something like a pincode in addition for extra security. There may be a time factor involved as well.
Eventhough they great from a security perspective. Hardware tokens won't be the mainstream way forward however. It's too much extra hassle and costs: organisations pay a premium amount per user per transaction for your e-identifier. Maybe you're a spy and then there's a good use case for you. But most users don't want to carry an extra device for each login unless forced to.
A time based authenticator app like Google Authenticator or Authy
From a security perspective not bad at all. Everyone has their phone on them. When you loose your phone, you will notice this faster than when you loose a hardware token device. Good news. Your account can then easily be deactivated.
A lot of organizations take on Google Authenticator because it is almost free and security is pretty decent. Most developers however overlook the main problem: you need more technical know-how than you think to understand to use this solution. Specifically when you have many sites/codes to use on the app. Consumers need to be faster. You need to know where to find the app and where to find the code for that particular website.
QR is an option that should strongly be considered!
It took a while before QR codes became mainstream. Users who have worked with the Web version of WhatsApp, know the potential. Check it out. We should see this option more often. Almost everyone has a mobile device with a camera. You can use a QR scanner in the mobile app to authenticate on a mobile website. The mechanism is more secure than you think. You can require the user to use a pincode or fingerprint to login to the app first. Then you have the option to scan the QR code with your App. The big usability advantage is that users don't have to type anything. The username can be in the code.
Push in combination with PIN / Biometrics
Another potential winner. With this solution you introduce the concept of "out-of-band". The push message is sent from a channel outside of the organization: usually Apple Push services or Google Firebase. Yet another bridge for an attacker to cross. Here's how that can work:
Cassettes are a thing of the past
Nobody wants to use pensils to rewind or fast forward anymore. We click.
Passwords are a thing of the past. Everybody wants to fastforward to the future.
I'm curious to hear your opinion. So I've added my question to you below in a little survey: which solution(s) do you like best for your organisation?