Multi-Factor authentication
Multi-factor authentication is an authentication method that requires the user to provide two or more forms of identity verification before they’re allowed access to a website, network, or application.
Reason for 2FA or MFA
Traditionally, we have always secured our login experience with just the username and password (both of which are considered 1FA-one factor authentication, it’s like husband and wife that are one). These passwords aren’t secure enough anymore and can now be easily guessed and broken and because of this issue, they have been inadequate for today’s access and security. Infact, in March this year, Microsoft engineers said that 99.9% of the account compromise incidents they deal with could have been prevented by a multi-factor authentication (MFA) solution.
There are three main types of MFA.
- The first is something you know. This includes passwords, PINs, and even secret answers.
- The second type is something you have. This is a physical object, such as a key or smart card.
- The third type is something you are: biometric verification. This could be a fingerprint, retina scan, or voice recognition.
You can implement either (2FA) or (MFA). Two-factor authentication (2FA) uses two of these possible checks to verify and authorize a user’s access attempt, whereas multi-factor authentication uses more than two of these checks. MFA is therefore considered the stronger of the two.
There is what is also known as adaptive MFA solutions
which means that MFA is unobtrusive to the user. Meaning, based on the context of the login attempt by the user, the admins can adapt the level of security needed, meaning, the solution can analyze the user’s location geographically and login behavior, example,
- the time and place of login attempt,
- the device the login was attempted on
so that users are only prompted to use MFA if the login seems suspicious based on the defined parameters. For example, if you were in your office premises and you try to sign into your corporate email account during business hours on a Monday, you would not be prompted for the MFA. But if you were logging in from outside the country or a location that is geographically beyond your set geographical boundaries, then you would be prompted for your MFA to proof it is you.
Why does MFA fail?
- Implementing MFA in Silos
While MFA certainly decreases the likelihood that your account will be compromised by an attacker, it is definitely not the “end all be all approach”. it certainly will not help you if the attacker has access to your other multi-factors. One of the biggest mistakes an organization can make is implementing multi-factor authentication in silos, which is like locking your house doors and leaving the windows open. All an attacker needs is just one entry point be it door or window and the moment an attacker finds that entry into your network, it’s game over for you and that brings me to the concept of Defence in depth.
Defense in depth is a cybersecurity approach that uses layered defensive mechanisms to protect systems and data. With layering, if one defense fails, another is there to block an attack. This intentional redundancy creates greater security and can protect against a wider variety of attacks. It is expensive to implement as you have to look at all aspect of your operation and see where protection is most needed and block all entry and only permit those you are sure of.
Defense in depth helps you ensure that you are protecting your systems as effectively as possible. By building in layers of security, you can reduce the chance of a single point of failure occurring in your systems.
- Not taking Advantage of Adaptive MFA
Not taking advantage of the Adaptive MFA can lead to failed implementation of Adaptive MFA solutions. Modern adaptive MFA can achieve the intelligent balance between security and customer experience by analyzing various location, network, device IP, time and so on. For example, users who are logging in about the same time of the day from the same IP address, from same location, and same device can go through their day by a simple authentication process that is unobtrusive than someone attempting to access a protected resource from an unknown /strange remote location that is new to the system for that users login records and using a device that has never been authorized for that user on network before.
For MFA to be successful, t must have the support of other defence mechanisms in the form of defence in depth infrascturcure, it can not be implemented in as a stand alone or in a silo.
