Multi-Factor Authentication (MFA) is an account security method used by companies to help reduce the likelihood of customer accounts being compromised. As the name suggests, the customer will be asked to prove their identity using multiple methods. The vast majority of us have already used a sort of MFA at some point. For example, you have probably been asked to provide your phone number so a company can text you a code to input onto their website, even though you already entered your password. This is a common MFA method that helps a company confirm your identity.
MFA’s can all be classed into three categories when it comes to the type of authentication, these are knowledge factors, possession factors, and biometric factors. In this article we are going to go over all three of these categories, discussing which the strongest methods are and giving some examples of their uses.
Knowledge Factors
This is information that the user must know in order to gain access to an account, for example their password or answers to security questions.
Passwords are the most common form of authentication by far; If you create an account on almost any website or program you will be asked to create a password for it. The problem with passwords is that they are far easier for a cybercriminal to get hold of, whether they have hacked into a user’s account, found where the user stores their password information, or even guessed the password if it is particularly weak.
There is a similar problem for regular security questions. One of the most common security questions is “What was your mother’s maiden name?”. Whilst this initially seems like a difficult question, realistically there will be several people who know the answer to this and depending on the public records available online, some people could even find the answer through Google.
Possession Factors
This is something that the user must have in their possession to act upon, for example receiving a code through a text on their mobile phone, or a single-use password in an email.
Although still widely used, possession factors as a method of authentication have faced an increasing amount of criticism over the past couple of years. The increase of criticism is due to cybercriminals continuously evolving their methods, which has resulted in possession factors being less secure. Email accounts can be hacked into, and sim cards can be cloned, making it easier for a cybercriminal to appear authentic.
A stronger possession factor is a security key, sometimes known as ‘universal second factor’. This is a physical key, around the size of a USB, that is inserted into the computer as a method of authentication. This offers stronger security but comes with its own problems, such as it’s cost and the risk of the key being lost or stolen.
Biometric Factors
This is what biologically makes up the user, for example using a fingerprint scan or facial recognition technology.
Biometric factors are no longer something we only see in science fiction films, with many phones and laptops now offering a fingerprint scanner and even facial recognition as a way of unlocking the device. Biometric factors are a very strong MFA method, although not completely fool-proof. People have managed to trick iPhone fingerprint scanners in order to gain access to people’s phones, so it’s not out of the question to think other biometric authentication methods could be tricked.
The bigger problem with biometric factors is their difficulty to implement. If you are selling a device then it’s easier (although still expensive) to include a fingerprint scanner. If you are selling some form of service, or something that requires an online account, then how can you include something like facial recognition into that process? This type of technology is constantly evolving, and expected to be more widely used in the coming years.
To summarize, it’s important to pick multiple factors of authentication when it comes to securing accounts and information. Offering only one method of authentication greatly increases any users’ risk of having their account compromised, which ultimately will reflect badly on your business.
At Euclid Security we offer professional cyber security consulting services including, auditing, vulnerability assessments, penetration testing, cyber security training, and much more. If you want to learn more about how we could help when it comes to ensure the security of your business through authentication methods, don’t hesitate to get in touch for a no-obligation discussion.