Multi-Factor Authentication (MFA) is the New Standard
The use of a password for authentication is technically referred to as single factor authentication. The fact is that anything beyond a game site or online news source should be protected by more than just single factor authentication. In the hyper-connected world in which we live in today, it seems imprudent, at the very least, that we protect our most confidential information with merely 8 to 14 characters on average, sometimes even less. Yet that single password is a single line of defense from hackers trying to access finances or from hooligans trying to tarnish social media profiles.
Think about the utter turmoil that would occur for a typical person if a hacker was able to abscond the password he or she uses to access their email, bank account, social media accounts, retirement account and credit cards. Imagine the primal scream escaping from their lungs when they discover their bank account is depleted thanks to an unauthorized transfer of funds because someone hacked into their online account by capturing their password.
Now consider that many people today reuse the same password for all of their accounts. Thus the compromise of a single password can bring about crippling results. A majority of password resets are executed through email. Therefore – once an imposter has control of an email account, they can simply request password resets for all accounts. The password, by itself, is not secure. Enter a new security standard – multi-factor authentication.
Multi-Step and Multi-Factor Authentication
A factor is a method of authentication. The three types of authentication factors are:
- Something a user knows (password or answer to a question)
- Something a user has (some sort of physical device, certificate or token)
- Something a user is (biometric verification such as a fingerprint)
A password is an example of something you know. So are security questions like “What’s your mother’s maiden name?” While many sites today have implemented a form of multi-step authentication, sometimes it still isn’t enough – particularly if the site is using two of the same types of authentication factors. Oftentimes the information “a user knows” can be found online through various websites like ancestry.com or social media profiles and are therefore easily attainable by hackers. A combination of factors is necessary to improve security: something the users knows and something the user has. Or something the users knows and something the user is (biometric).
Multi-Factor Authentication at its Best
A classic example of true multifactor authentication is 802.1X which is utilized in RADIUS enterprise wireless networks. In order to access the wireless connection, the user must type in his or her username/password while the physical computer they are using to connect with the wireless network has the required certificate necessary to complete the authentication process. In this example, the logon user’s credentials represent something the user knows and the computer represents something the user has and/or owns. Other examples of true multi-factor authentication are:
- Swiping a card and entering a PIN, a process used by ATM cards today
- Entering logon credentials followed by a biometric scan of an eye or fingerprint
- Downloading a VPN client with a valid digital certificate and then logging onto the VPN
- Accompanying user logon with a USB hardware token that generates a one-time passcode
What about Passwords + SMS Text?
Many assume that a two-factor authentication combination of a password and a private PIN that is texted to the user’s cell phone is secure. After all, the password is something the user knows and the cell phone is something that the user is in possession of. Technically however, the phone itself is not the authentication mechanism but the information that is contained on the device. This opens up the opportunity for a hacker to copy the PIN and present it to complete the authentication process. While the number of people capable of doing this is low, there are hackers who have the ability to exploit the SMS process and divert text messages to phone numbers under their control.
So while texting a PIN as a second factor isn’t fool-proof – it is better than single factor authentication.
A password by itself should be considered a point of high vulnerability. In today’s connected world, hackers can easily access systems and personal devices. Two distinct authentication factors, each acting as a separate padlock, are necessary to secure information.
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on information security throughout the US.
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.