2FA / MFA explained.
In the digital world, in order to access services or data, a user often needs to be authenticated. As a rule, authentication occurs after the user enters their login and password. This used to be enough, but with the rise of cybercrime, access protection is starting to require more action from the user.
What factors should an authentication mechanism include in order to be effective?
- knowledge (something only the user knows),
- possession (something only the user has),
- inherence (something only the user is).
The knowledge factor is the first and foremost in the authentication process. It can be a password or a PIN. While the username is not obligatory to be a secret information (like usernames on social networks or emails which can be reused as usernames), the password or PIN should be a piece of knowledge possessed solely by a particular user. So, basically, authentication pair login + password can be considered only as 1-factor authentication.
Possession implies a physical object or a piece of information which user must have to pass the authentication. The most famous representative of this type of factor is a common key to a lock. But in the digital world possession can be proven with a security token (disconnected or connected to the user’s device), a software token (which can be stored in an authenticator app), SMS is also an example.
Inherence factor is represented by the user’s biometric characteristics such as finger- or handprint, face, iris or retina pattern, voice.
There are also factors which can be taken into account additionally by authentication systems. For instance, location and behavioural factors (keystroke dynamics, mouse movement or touch characteristics, signature analysis, etc.).
It is obvious that the use of two or more authentication factors significantly increases its security. However, some of the factors are less resistant to attack than others.
The biggest threat to 2FA/MFA is phishing. The user can be lured to a fake website and prompted to enter their credentials and a second factor. Combined attacks can also take place: first, user’s device gets infected with malware stealing their login data, then an attacker uses phishing or other kinds of social engineering to break through 2FA/MFA. The only possible way to reduce this risk is to be informed and vigilant.
As we already mentioned, MFA is not a silver bullet, but it does significantly strengthen account protection and reduces the likelihood of being hacked. So, what is the second factor that provides the best possible protection?
The cybersecurity experts of our company recommend U2F devices (USB or NFC) as the most reliable second factor. However, for many users, this authentication method may seem high-maintenance and less convenient.
Thus, second in line are authentication apps. They can be solely a generators of time-based one-time passwords (TOTP), typically 6-digit codes with a 30-second life span. Some authenticator apps provide additional authentication methods like push notifications (which also use geo data), biometrics, etc. Authentication with pushes or biometrics to web services is more preferable and easier than using of one-time passwords, but less common (while biometric authentication is commonplace for mobile apps).
Still used, but less reliable methods are one-time codes via SMS or email. If you can avoid them, use one of the above.
Disconnected hardware tokens (dongles) which generate one-time passwords still exist, although their usability is less appealing to users in comparison to authenticator apps.
To summarize, authentication using a login + password pair is gradually becoming a thing of the past. To keep up with technological developments and not put their data at risk, users need to resort to 2FA/MFA and be aware of modern cyber threats.
Additional materials used in the article: