Authentication should be a relatable concept to nearly everyone. In its most basic form, authentication is proof of an identity, with identity being merely a claim of self. An example of this would be going to a party and introducing yourself to a group of people using your name. Without some type of proof, you’re only making a claim on who you are. Showing your driver’s license or passport to this group of people provides proof of your identity, thus authentication. Let’s now leave the party example and discuss authentication in the digital world. Authentication can come in many forms and will typically require one of the following:
- Something you know
- Something you have
- Something you are
- Somewhere you are (less common)
Something you know is an almost ubiquitous form of authentication as it can apply to passwords, PINs, and last 4 digits of social security number. It not only used to login to websites but can also be used to identify yourself when calling into support for many organizations. Something you have, can come in the form an ID badge or key fob. Something you are, typically relates to biometrics (thumb print, iris scanner, etc.) Somewhere you are, naturally will associate you with a certain location.
This blog post will focus on what it means to have multiple forms of authentication by combining the factors above and why this is an increasingly important concept in today’s digital world.
Note: This will not cover every form of multi-factor authentication (MFA) available.
Why the Need?
Many issues exist by using a single form of authentication in the digital world. These include the use of simple passwords, users reusing passwords across multiple systems/websites, websites requiring password complexity, or breaches that may result in mass credential theft; passwords have been plagued by multiple issues over the years. To try to combat these issues, password managers and MFA were developed.
In most cases MFA solutions are incredibly easy to implement and come at a low cost. They are a great way to add layers of security to a password management system, SSL VPN for users, e-commerce or banking website, etc. Pro-tip – MFA solutions can be used across multiple systems, so finding one that is supported across different platforms and websites that you utilize.
Types of MFA
MFA can come in multiple forms, but the general concept remains the same. Once your username and password are entered and accepted, a second form of authentication is required to grant access. The second form of authentication will typically require the user to physically possess the device (i.e., Something you have or Something you are) that will provide the second set of credentials. Here are some examples:
Solution | Description | Pros/Cons |
U2F Tokens |
Universal two-factor is an open standard, where USB tokens are used for authentication. | Pros:
Cons:
|
Hardware Tokens with one-time codes |
A small hardware token that can fit on a keychain with a screen that outputs a one-time code to be entered into a prompt. | Pros:
Cons:
|
Applications with push notifications or one-time passwords |
Application that provides push notifications come in the form of icons that are accepted/declined, or code to be entered into a prompt. | Pros:
Cons:
|
Code by SMS |
A six-digit code (usually) is sent by SMS to be entered into a prompt. | Pros:
Cons:
|
Recommendations
Before embarking on your search to determine which MFA solution is right for your company, we would first recommend determining what applications, services, and websites that you want protected by a solution. Since not all MFA solutions can cover the same breadth of products, doing this exercise will sometimes eliminate options up-front. As shown in the table above, there are certainly types of MFA solutions that are more secure than others, but any MFA is more secure than single-form authentication.
U2F tokens are the most secure MFA solution currently available. Because of their limited support across applications, services, and websites, they may not be a viable MFA option depending upon what you’re trying to protect with MFA.
Hardware tokens are a great alternative to the U2F tokens, if you are looking for a solution that is supported across more products. Since they can be easily lost and create logistical issues when employees are remote or spread out geographically, they suffer from some of the same issues as U2F tokens.
Mobile applications for one-time passwords and push notifications are the next most secure on the list. These are widely utilized among organizations and home users because of the ever-growing list of supported applications, services, and websites. They are not as secure as the U2F or hardware tokens, but ease of use and supportability
SMS is the least secure methods of MFA that are listed above. MFA over SMS has a documented history of being vulnerable to several types of attacks and should only be used as a last resort. Some of these are included below in the References section.
VENYU is Here
As always, if you have additional questions or would like someone to discuss MFA solutions in more depth with you, please open a support case using the customer portal (https://portal.myvenyu.com)
References
Can We Stop Pretending SMS is Secure Now?
https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
A leaky database of SMS text messages exposed password resets and two-factor codes
https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/