Security continues to become a greater priority for SMBs we are seeing businesses of all sizes begin to take the necessary steps to create more secure work environment. Multi-factor authentication is one of the most critical tools out there to keep hackers out and should be a top priority for all organizations. In it's simplest form, authentication is the process of confirming that someone attempting to enter your environment is who they claim to be. One of the greatest way to protect your IT environment is by keeping tabs on exactly who is trying to gain access.
Here's an example of authentication that you encounter on a regular basis. When you log into your account on a website, the website must first verify that you are the account's owner. How do they do this? They ask about something that only you should have access to the answer of. Usually this is the username and password you selected when you first set up the account. You probably think you created this account so you are the only one who has access to your password therefore your account, right?
Not so fast - In recent years, user credential breaches have become increasingly popular. There's a pretty strong chance that some of your username and password combinations have been compromised. Thus providing the correct login and password to gain access to a resource does not always imply that the person is who they claim to be. This is where multi-factor authentication comes into play.
What is Multi-Factor Authentication?
Multi-factor authentication (MFA) is a approach to securing your data and accounts that simply requires a user to supply more than one piece of identifying information in order to validate their identity. You have most likely already encountered MFA on a variety of accounts that you use and even on some of your favorite websites. You may be prompted to input a code emailed to you to get into your banking online account for example. That code is an example of the an additional factor of authentication. While this emailed code one form of MFA there are multiple options when implementing the practice.
Types of Multi-Factor Authentication
The category used to identity a user is called an authentication factor. These identification methods generally fall into three authentication factor categories:
Information you know – Just like the category sounds this is the simplest and most utilized form of authentication. This includes a password, PIN, personal information like "mother's maiden name", etc.
An item in your possession – this includes items that you have in your possession such as a cell phone or a card.
Unique to you as a person – this includes biometric data such as fingerprint, retina scan, etc.
For multi-factor authentication to be effectively implemented best practices say that you need to cover at least two of the above categories to gain account or data access.
A common scenario of MTA is when a user goes to login to a website with their password and email and then receives a text message to their cell phone with a code. This code is known as a one-time password (OTP). This falls into the "item in your possession" category and when a user then types the code into the website they will then gain access to their account.
In this example, even if an attacker knows the user's password, it isn't enough. They'll also need to gain access to the user's cell phone to provide the OTP.
One-Time Passwords
In the example above, the website issues the user a OTP. This is one of the most widely used multi-factor authentication methods. A one-time password is a pseudo-randomly generated password that will expire after a brief amount of time and is only good for one login. One-time passwords are usually used in conjunction with a regular username and password to make the authentication process more secure. The OTP is a technique used to indirectly improve their credentials even if they are reusing a password or using a password that is not very strong.
There are a few different methods to send users one-time passwords.
Text Message or SMS – This is one of the most commonly used and user friendly methods to send OTPs. When the user enters their username and password into the account they then receive a text message with their OTP on their phone. The user can then quickly copy and paste the code from the text message into their account. While this is a very user-friendly way to use MFA and is better than having single authentication it is still not the optimal approach. Believe it or not, delivering an OTP through SMS still carries risk of compromise.
Authenticator Apps – Another common way to manage OTPs is with an authenticator app. When you install the app to your cell phone, it allows you to set up accounts that work with the authenticator app to send your one-time passwords to that app. The OTPs will typically update every 30 seconds so instead of waiting for an email or text message, a user simply opens the app and is always able to find a valid OTP there.
There are many authenticator apps available. Duo, Authy, and Google Authenticator are three of the most popular currently. Using an authenticator app makes receiving one-time passwords a breeze. Unlike SMS an attacker cannot gain access to your authenticator app just by knowing your phone number or text messages and if someone gains access to your email account, they won't be able to steal your one-time passwords.
There are some downsides to authenticator apps including users finding is a hassles to download and set up a new app as well as if a user loses their cell phone gaining access to MFA-enable accounts can become difficult.
Now that you've learned a bit about multi-factor authentication you may now be considering what threats are currently at work in your environment. Find out what gaps you have in your organization's security and being closing those gaps by contacting us today.