For decades, the all too familiar username-password login has remained a staple in user verification. But this somewhat archaic system is quickly losing favor with entrepreneurs and security experts as a dependable identity and access management (IAM) solution. Multi-factor authentication (MFA) is now the more preferred IAM system.
This article explores MFA technology: what it is, how it works, and its advantage over traditional username-password authentication.
Let’s get started.
The problem with passwords
To justify multi-factor authentication, we must first understand what’s wrong with passwords.
Password-only authentication is pretty straightforward: It’s simple, intuitive, easy to use, and doesn’t take much to integrate a login console. These are the main reasons passwords are so popular today. However, password authentication is one of the biggest cybersecurity threats facing businesses and individuals alike. The problem is that passwords are relatively easy to steal, and in the wrong hands, a single set of credentials can compromise an entire organization.
According to Verizon’s DBIR 2021, user credentials are the most sought-after datasets in cyberattacks. And for good reason — 89 percent of web-based hacks involve using stolen or cracked credentials.
But the worst thing about password authentication is its reliance on human diligence. Poor password practices such as credentials reuse, overuse, exposure, sharing, and creating weak passwords make it easier for threat actors to exploit user credentials.
These fundamental security flaws are why many companies, software vendors, and online services, including tech giants Microsoft and Google, are moving away from passwords to more dependable MFA alternatives.
What is multi-factor authentication?
Multi-factor authentication is an IAM system that requires users to provide at least two pieces of indisputable evidence (factors/tokens) to prove their identity. Rather than asking for just a username and password, an MFA system requires additional verification factors based on something the user knows, something they have, or something they are.
These are the three types of factors used in MFA:
This category includes anything the user knows or remembers and can therefore type, say, or perform. Knowledge tokens can be credentials, code words, PINs, or answers to security questions. This is the most basic authentication factor and usually forms the first MFA layer.
The possession factor tries to prove user identity based on something the user has or owns. It includes personal items such as smartphones and email addresses and dedicated hardware such as USB security keys and token devices. The system can verify these possessions directly or indirectly by sending a one-time password (OTP) to the device, which will need to be entered into the login console within a limited time window.
This category involves biometrics: fingerprints, facial recognition, voice verification, retina scans, etc.
Some MFA systems also consider user location and behavior as verifiable identity factors. Still, these are less common and often tied to other independent security protocols such as endpoint security and user monitoring. MFA combines any number of identity tokens from all three categories, and each token adds an extra security layer.
MFA vs. 2FA
2FA or dual-factor authentication is a type of multi-factor authentication that requires exactly two identity tokens for user verification. This is the most common MFA adaptation. It usually requires users to input their credentials, followed by an OTP sent via SMS, email, or voice call. Some systems use biometrics in place of the OTP. On the other hand, MFA could involve all three factors (knowledge, possession, and inherence), sometimes requiring more than one token from each category.
MFA adds extra security layers to identity and access management. And in doing so eliminates most of the risks associated with password-only verification (which is, basically, a one-factor authentication system). Even if attackers managed to get hold of user credentials, they’d still need to present additional tokens to be granted access.
Implementing an MFA solution is just one of the ways you can keep up with emerging technologies, threats, and trends to safeguard your business against cyberattacks. GB Tech has even more ideas on staying ahead of the curve with cybersecurity. Contact us and learn how to leverage our security expertise and tools to boost your organization’s security posture.