An Intro to Multi-Factor Authentication and the Types of MFA

Multi-Factor authentication (MFA) is a method of login verification where at least 2 different factors of proof are required. MFA helps protect your data assets by adding an extra layer of security in a process called hardening. Using 2-3 types of factors in the process of protecting assets is called multi-factor authentication. MFA can prevent an attacker from accessing a user profile and impersonating a user, because they must gather many different types of user data in order to gain access. This would be harder to do than if only a password was used.  

Something you know -  This is anything you might need to remember and type or say. It's something you have to recall from memory. An example might be your mother’s maiden name, a password, a passphrase, or PIN.  

Something you have - This includes all items that are physical objects that you must have.  Specifically it includes the use of physical tokens to provide a time based PIN or other generated number that must be inputted to verify someone’s identity.  An example might be this hardware token: RSA SecurID SID700 hardware token or the HyperOTP Time-Based 6-Digit Token for use with Amazon Web Services.

Something you are - Includes using a part of the body that can be used for verification (biometric data), like fingerprints, palm scanning, facial recognition, retina scan, iris scan, voice recognition. This works because each person is unique, but it can be invasive because it may reveal information about an individual’s health concerns. An example might be this Face Recognition and Fingerprint Reader with WIFI.

Somewhere you are - Uses location based data to determine if someone is in the correct vicinity to access data. An example of location restriction using Azure is portrayed in this Microsoft article.

Time restrictions - Time can be used as part of MFA because data assets might have restrictions about when they can be accessed.  If access attempts occur outside the time window, someone may be disqualified. An example in which time might be used is in a time-based one time password (TOTP). Per Rublon’s website, a TOTP “is a passcode valid for 30 to 90 seconds that has been generated using the value of the Shared Secret and system time.” This combines the “something you have” factor with time restrictions. 

What are the pros and cons of MFA?  A list by Mary Shacklett of Transworld Data at this link shows it can be complicated, but worth it.  

Importantly, there are many data breaches that occurred as a result of not using multi factor authentication.   An article by Jean Shin includes information about several of these breaches which affected Target and Equifax among others. 

Using only passwords is unlikely to be a very secure method of authentication and is likely not the method of the future. Multi factor authentication is taking over. This website writes: “In a climate where cyberattacks are at their peak (with brute force attacks on passwords being the most common), it’s no surprise that IT professionals at Fortune 500 companies like Google are pushing forward new security regimes. One business after another is adding multi-factor authentication (MFA) to its security infrastructure – and biometric technology is becoming the most sought-after element with an expected market growth to $55.42 billion by 2027.” In particular, the use of biometric data is growing.

Knowing about multi-factor authentication is important to daily life, but sometimes the concept can be little understood or misunderstood. It is important for hardening of data and personal information so it can be an interesting topic for more examination.  

References: