Understanding Multi-Factor Authentication
MFA, or Multi-factor authentication, is a term we hear more and more these days. As cybersecurity moves more towards the forefront of the corporate landscape, MFA is becoming much more relevant and needed. It is required for protection of Controlled Unclassified Information (CUI) accessed across a network, and is a CMMC Level 3 requirement. Additionally, MFA is a cornerstone of Totem’s recommended cybersecurity safeguards for small businesses, as we’ve laid out in our Totem Top Ten. MFA works by leveraging multiple layers of authentication to verify the identity of users when logging into certain systems, websites, etc. There are multiple ways to accomplish this, as well as multiple factors that can be used, so let’s dive in.
The Three Categories of Multi-Factor Authentication
Although there are many different factors that can be used for Multi-Factor Authentication, they all fall into three main categories: Knowledge factors, Possession factors, and Inherence factors.
Knowledge factors are what we usually think about when we think of logging into a system or account. It is something you know, and can include a PIN, a password, an answer to a security question or something similar. This is often the only layer of authentication required if MFA is not in use, or the first layer of authentication that is required when using multiple layers of authentication.
Next are possession factors, which is usually defined as something that you have. This could include a smartphone, a security token, a smart card, or a public key infrastructure (PKI) certificate. We will get into how all of those work a little later in this post, but for now we can see the difference between a piece of knowledge we have, and an item that we possess.
The final category of MFA are inherence factors. Inherence factors are things we inherited, or something that we are. For this category, think of Mission Impossible, or James Bond type technology. Inherence factors include all different types of biometric factors, including fingerprints, facial scans, a retina or iris scan, and even a voiceprint!
In order to successfully implement MFA, users must be required to prove their identity using multiple factors from two or more of these categories. If you only use multiple factors from one category, such as a voiceprint and a fingerprint, it is not MFA since they are both inherence factors.
Secure Knowledge Factors
Although part of the reason we use MFA is to protect against password attacks, there are a lot of things that can be done to make passwords more secure and robust towards those attacks. Whether or not users choose passwords that are easy to remember and type or create and memorize a strong password but reuse it on multiple websites, they are more susceptible to password attacks. Good password hygiene can feel overwhelming or tiring when you need a new, unique, and strong password for every site or system, as well as the good habit of changing each password regularly.
In order to keep track of multiple complex passwords, one of the best things to do is to use a secure password manager. This enables you to remember one complex master password which will grant you access to all the other complex passwords in the password manager, allowing you to have multiple complex passwords, change them often, and not have to memorize them all.
An In-Depth Look: Possession Factors
We listed quite a few possession factors above and now we will talk about how each of those different factors work.
When using a smartphone as a possession factor, there are a couple of steps to take to use this method successfully. First you must install an authenticator app on the smartphone. The apps use public-key cryptography to generate software tokens. The private key is stored on the smartphone; and a corresponding public key is stored by the authenticator service. To access a website or service through the authenticator, the user would type in their credentials, the app would use its private key to generate a unique code to send to the authentication server, which would use the smartphone’s public key to verify that the code was generated by the smartphone registered by that user.
Sometimes text messages (SMS) are also used as authentication on smartphones. Although having a code sent through text message as a second factor of authentication is one of the most commonly used methods of MFA, text is not as secure as many think it is. It is relatively easy for hackers to intercept, spoof, and phish text messages. If possible, use an authentication app instead of text messages. Instead of sending a text message, you can configure some systems to “push” or send a prompt to your unique app installation on your phone. You then simply tap a button on your phone to acknowledge the more secure push notification, and voila, you’ve provided a factor of authentication.
Security Tokens work in a very similar way to authentication apps, generating a one-time passcode. Once you log in to the system or website using your username and password, you will be prompted for a passcode, which you will generate on your token, say, a USB dongle, and use to complete the authentication process.
Smart Cards use a secure microchip that enables user authentication by creating, storing, and operating cryptographic keys. They store both a user’s public key credentials and the user’s PIN. Smart cards are considered very secure because you can’t gain any of the data from tampering with the cards themselves.
PKI Certificates work by authenticating both you and your server before connecting with a website. It then facilitates encryption and decryption by using digital certificates and public encryption key pairs, kind of like what we discussed above with smart phones. They also ensure the integrity of your data by letting users, browsers, or devices know if data that you sent has been tampered with.
The Pros and Cons of Biometrics
In the field of security, there are many professionals who absolutely love the use of biometrics, while others are concerned with their true security. One of the biggest problems with biometrics is that they are not secret. Whether it is fingerprints or face scans, we leave our biometrics all over the place and they could be captured more easily by an adversary than most other types of authentications.
A common misconception about biometrics is that they are incredibly accurate. In truth, while our biometrics themselves are very unique, what is actually captured and measured during authentication may not be. Devices and software can only collect so much useable biometric information, and even then the information may not be useful forever because most of our biometrics undergo minor changes each day. This means that the biometric scanner must “detune” itself to a certain extent in order to be less accurate than they otherwise could. This means that there could theoretically be many more matches with other individuals recorded biometric data.
Another drawback of biometrics is that once the data that is captured about you has been stolen or lost, you can’t easily change your biometric. If your password or smart phone is stolen, you can simply change your password or go get a new smart phone. If the database representation of your fingerprint is stolen by an attacker, you can’t just change your fingerprints.
Some of the pros of biometrics include the ease of use for individuals, as well as the increased difficulty to hack remotely, even if they may be easier to steal in person.
Implementation of Multi-Factor Authentication
While MFA implementation has the potential to be difficult or expensive, it can vary greatly depending on your company and how you decide to implement it. This decision can take many factors into account such as initial price, support price, as well as ease of use and the type of system and information you have and are trying to protect. For additional information on implementing MFA, check out our other post here.
MFA is required for many companies in regulatory environments, such as DoD contractors. We cover topics such as MFA implementation in our monthly cybersecurity workshop. Learn more or register at this link: https://www.totem.tech/workshop/ Come join us!
