An important security concept that has cropped up over the past few years is Multi-Factor Authentication (MFA). Its predecessor, 2 Factor Authentication, has been around for decades but has become less common recently due to some inherent flaws. Put simply, both techniques improve security, but how? To get to that, let’s go through the MFA acronym backward, so I can explain how things come together.
Authentication is any process that verifies whether an individual is who they claim to be. There are several types of authentication in the world. We use driver’s licenses, passports, and social security numbers in the US to authenticate people every day. But we also do so instinctively every time we talk to someone we know by looking at them and comparing against our memories. We call this recognition and it’s the ultimate goal of any kind of authentication. Visual recognition is easy for humans who can see, but not all humans can see. So there are other ways to authenticate people. Voice, scent, and other attributes of an individual can all be used to identify them and authenticate who they are. One interesting example of authentication from WWII came about during the Battle of the Bulge.
During that long battle, the German military began dressing men who could speak English without an accent in American military uniforms so they could hopefully cross the lines and attack the American soldiers from behind, sewing confusion and disorganization. This turned out to be an effective trick until the Americans came up with an effective counter. Soldiers around the battle lines began asking baseball questions to verify that the soldiers were truly Americans. At the time, baseball actually was America’s pastime, and Germans had virtually no knowledge of the sport. Questions like “Who won the 1943 World Series” and “Who holds the record for most home runs ever” were pretty easy for any American to answer, but Germans would miss the details and get held immediately for either more questions or as POWs.
Whether authentication occurs through facial recognition, trivia questions, or other means, the technique used to validate someone falls under one of three classifications or factors. Factors are broad classes of identifying information that can be used to authenticate someone. Each factor is something that is unique to you and is either “Something You Own,” “Something You Have,” or “Something You Know.”
Something You Are
This factor is usually considered the most secure and relies on your physical characteristics to authenticate your identity. One common term for this factor is “Biometrics.” Fingerprints, retina scans, and facial recognition are all biometric measurements that are unique to each individual and are regularly used to identify people. Biometrics are considered the most secure factor because they are a solid indicator that you are at least physically present when authenticating. There are some limitations to this, though, since it is technically possible to reproduce a fingerprint or facial scan at any time. In addition, it can be very expensive to implement biometrics. As technology evolves, however, each of these becomes more accurate, inexpensive, and resistant to falsification.
Something You Know
By now, everyone is familiar with the traditional Username and Password authentication technique. Both of these are knowledge-based identifiers, “Something You Know.” Passwords, like the WWII baseball questions, allow you to identify yourself by providing a piece of knowledge that only you, or someone with permission, will know. Knowledge-based authentication is the easiest to implement in technology, but has some issues. The major weakness with this factor is, of course, the fact that there aren’t very many pieces of knowledge that can’t be guessed or uncovered with effort. Passwords in IT are susceptible to “brute force” attacks, where someone tries every possible combination of letters and numbers until they get the correct password. They also suffer from being discoverable through “phishing” attacks, where someone is tricked into disclosing a password or information that can be used to more easily guess a password.
Something You Have
If you’ve ever had to unlock a door, you’ve made use of this factor to authenticate. The key you use to unlock your door or start your car is considered “Something You Have.” This factor covers any physical object that can be used to identify you. The keys to your house, your phone, a credit card, and other physical objects that you keep with you regularly can be used to verify your identity. Unfortunately, this factor suffers badly from issues with theft. If someone steals your keys, they can get into your house. And once a physical identifier is compromised, it has to be completely replaced.
Kind of a weird heading, but as you may have noticed, each factor has some weaknesses that make it possible for someone who isn’t you to successfully authenticate as you. Each factor, on its own, is not always effective at preventing unauthorized access. Happily, using more than one factor together makes authentication much more secure. While it may be easy to fake one identification factor, it’s more difficult to fake two or three. Now, it’s important to note that you have to mix factors when doing this. Two passwords are not much stronger than one. A retina scan and fingerprint match aren’t more secure together than just the retina scan (which reminds me of a scene from an animated movie). To get a significant security impact, you have to use at least one authentication technique of each factor.
If you did much work with data that required high levels of security more than 10 years ago, you may have been familiar with 2 Factor Authentication using hardware tokens. The token would generate a password when you pushed a button that was only valid for a short time (30-60 seconds or so). Entering that password validated the fact that you held on to one of the hardware tokens. This technique was quite effective for a while (when paired with username and password authentication), but eventually, some major issues with it came up. The software keys used to generate the passwords of hardware tokens made by one company were compromised through industrial espionage and made available publicly. When this happened, all of the hardware tokens were effectively useless. Password authentication still protected data, but the additional security was gone. It took a while for every hardware key to get tracked down and replaced. Until that happened, though, organizations that relied on those keys were stuck.
Enter MFA. 2FA relies on a specific pair of authentication factors to identify users. It was always knowledge and physical object authentication. MFA, on the other hand, allows end-user to use any 2 or all of the factors available to authenticate. This gives organizations a lot more flexibility and keeps users from being stuck with a single point of failure when securing their data. Today, you can use any of a number of authentication tools to implement MFA. Think about those texts you get when you log in to your bank account on a new computer. That’s MFA in action. You have to enter the password to your account (something you know) and the text is sent to your phone number, which is received by your phone (something you have). There are also inexpensive fingerprint readers, facial recognition is built into phones now, and other tools are out there.
Hopefully, you understand MFA a little better and can see why the security world is recommending organizations implement MFA. It can sometimes be a pain to deal with MFA, but as I’ve mentioned elsewhere, security and easy don’t really mix.