We can think of Multifactor Authentication (MFA) as one or more additional steps that are required when authenticating against a system, after the first factor has been entered (for example, after entering the username and password), and before gaining access to a system.
Referring to online accounts, imagine that your credentials have somehow been compromised. That is, someone has managed to find them. If you don’t have MFA set up, the attacker will be able to access your account without any difficulty. However, with MFA active, after entering the user-password binomial, the attacker will be faced with a second authentication step of a different factor.
The aim is that only the user, who is the true owner of the account, has the other factor(s) needed to access the system in question. This way, in a situation like this, the account will be protected, as it will be much more difficult for the attacker to overcome these other factors. But please notice that more difficult does not mean impossible.
Authentication factors
There are three primary authentication factors. They are:
- Something you know, which could be a password, a passphrase, a PIN, the answer to security questions, etc.
- Something you have, which refers to physical devices in your possession that can help you authenticate, such as a cell phone, a smart card, a hardware token, a memory card, a USB drive, etc.
- Something you are, that refers to a person’s physical characteristics, such as fingerprints, facial features, retina, iris, hand geometry, etc.
In addition to the three primary factors, attributes can be added, such as:
- Your location, based on a device, geographical location, a phone number, etc.
- Authentication by context, in which it is possible, for example, to configure working hours and disallow access to the account outside these hours. It can also include location and device type.
- This could refer, for example, to the gestures used on mobile devices to unlock them by connecting dots, or the image passwords supported by Windows 10, in which the user moves their fingers across the screen over an image.
Something you know
This factor is also known as knowledge-based authentication or type 1 authentication factor.
It means that the user indicates something they know in order to authenticate themselves to a system.
In the case of passwords, they can be simple or complex:
- People tend to use simple passwords, often related to their own information, because they are easier to memorize. When this is the case, passwords are easily discovered.
- When they use complex passwords, they end up writing them down somewhere, whether on post-its stuck to the monitor, in a notebook or even in a text file on the computer’s desktop. In these cases, the password is visible to third parties or, even if it isn’t visible, it can be found relatively easily.
The solution to these problems lies within Password Managers, which organize your credentials, store them securely and, best of all, you only have to memorize a single password, which is the master password with which you log in to the Password Manager. This master password must be long (at least 12 characters) and, to make it easier, you can create a passphrase.
Passphrases are passwords based on phrases, which become easier to memorize and solve the problem of complexity, especially when you mix upper and lower case letters, numbers and special characters. The phrase “I’m a visitor to YourInfoSec” can become the passphrase I’mAVisitorToYourInfoSec, long enough to take ages to figure out.
With regard to security questions, their security is also increased if the user uses complex strings instead of the real answer to the questions, which is sometimes so obvious to anyone who knows the user at all well (and with all the information that is shared on social networks these days, this may not be difficult) that they become easy to compromise.
Something you have
This factor is also known as possession authentication or type 2 authentication factor.
Perhaps the most common method is One-Time Passwords (OTP) which, as the name suggests, are codes that can only be used once and which expire if they are not used within a certain period of time. They can be generated via:
- Software (soft tokens), such as the famous Authenticator applications like Google Authenticator, Microsoft Authenticator, Cisco DUO, etc.
- Hardware (hard tokens), which are dedicated hardware devices, such as the RSA SecurID.
In addition to the type of device on which they are generated, OTPs can be:
- Synchronous OTP, which is the most common and least complex. It can be time-based or counter-based. Those that are time-based are generated every 30 or 60 seconds; those that are counter-based have a number that is incremented.
- Asynchronous OTP, which although less common and more complex, offers a more robust security layer.
Smart cards, on the other hand, are so called because they include an embedded integrated circuit that can perform calculations and generate unique authentication data for each transaction. They can be:
- Contact Smart Cards, in which the chip in the card needs to come into contact with the reader in order to receive energy and allow the transaction to be completed;
- Contactless Smart Cards, in which the reader sends signals that are strong enough to power and communicate with the chips, allowing them to make the calculations they need and respond to the reader.
Memory cards contain a kind of memory that is embedded in a magnetic strip, usually on the back of the card, from which the same data is read with each transaction.
Something you are
Also known as feature-based authentication or type 3 authentication factor.
It is divided into:
- Physiological features, which can be fingerprints, the geometry of the hand, facial features, eye features (such as the iris and retina), etc.
- Behavioral characteristics, which can be the way a person writes, walks, talks, presses keys on a keyboard, etc.
Your location
The location can be obtained based on the IP address or by geolocation.
This type of system can prevent access by users who are not in the place where they usually log on – the place where you are not. That’s even a basic rule: that a user can’t log in to their account from outside their workplace or, if they want to, request to do so. Although this control is easily circumvented by using a VPN, it is still a protection that makes sense.
Single Factor Authentication and Two-Factor Authentication
There is some confusion as to what is considered the use of authentication factors.
For example, if a system uses more than one type of authentication, but they are all of the same factor, this is not Multifactor Authentication but Single Factor Authentication. Examples in which, although different types of authentication are used, Multifactor Authentication does not occur:
- Using a username/password and answering security questions – both mechanisms belong to the something you know factor;
- The use of a token generated by Google Authenticator and another generated by RSA SecurID – both mechanisms belong to the something you have factor;
- The use of a fingerprint reader and a retina reader – both mechanisms belong to the something you are factor.
The combination of two factors, such as something you know and something you have, can be called Two-Factor Authentication.
The difference between Two Factor Authentication and Multifactor Authentication is that the former refers to the use of two factors and the latter to the use of two or more factors.
It is important to note that using different types of authentication for the same factor does not usually add to security, as the same type of attack can compromise them. In other words, using a password and a PIN does not guarantee that you are safer than if you only used a password, since the same attacks that can be carried out to discover the password can also discover the PIN. In contrast, when you use different factors, such as a password and OTP of a hard token, it would be necessary to discover the password and physically steal the hard token in order to successfully access the account.
Weak and strong multi-factor authentication
Although Multi-Factor Authentication is a recommended setting, it does not in itself guarantee that your accounts are secure. For example, the SMS Authentication Multifactor is considered weak because of an attack known as SIM Swap, in which criminals gain control of the victim’s cell phone number, thereby gaining access to the code sent to them and being able to log into their accounts.
However, even if you use strong authentication factors, you should take a few things into account:
- When using an Authenticator that sends notifications for the user to approve access, if the user is distracted or doesn’t know what they’re doing, they can approve a third party’s access without realizing what they’re actually doing;
- When using an Authenticator that sends notifications, generates a code, or asks you to enter a code that is made available on the site, although these are considered safe ways, the user can be tricked if they access a fake site, which is similar in every way to the real one, and which sends the data they enter there to the real one, i.e. the username and password and then the OTP .
To overcome this, you could consider using passkeys or security keys. as these devices must be physically connected to the device you are logging in from, or be brought close (NFC), for access to be allowed.
And do you always have to be asked for the second authentication factor?
No, not always. For example, there are services that only ask you the first time you use a certain device. Then that device is authorized to access your account and is recognized as trustworthy, and it acts as a factor on its own. You will only be asked for the second factor when accessing from a device that the service does not recognize.
There are also services that allow you to store your data for a certain period of time, not asking for the second authentication factor until this period expires.
What if I lose the MFA method?
You should always consider alternatives to the MFA method you have set up. For example, some services provide backup codes that you can use if you lose access to the method you have set up. Take good note of these codes. If you use a security key (such as a Yubikey) as your authentication factor, it is good practice to have a second security key to use in case you lose the first one. You could even consider placing this second key in a different physical space from the first.
A word about FIDO2
We can’t finish this article without talking about Fast IDentity Online 2 (FIDO2), albeit very briefly. FIDO2 is an open protocol for user authentication that uses passkeys, which are credentials created using public key cryptography, whereby a private key and a public key are created. The private key is stored securely on the user’s device and the public key is encrypted and sent to the service’s server.
The key pair is used to authenticate the user directly on their device, be it a computer, tablet, cell phone or security key. Every time the user logs in, the service presents the customer with a unique challenge. The device is activated by touch, fingerprint or face scanning, or by entering a PIN, which allows the request to be signed and returned. This makes the process cryptographically protected from phishing.
As a different set of keys is generated for each web application or website, they also have the advantage of increasing user privacy by making it more difficult to associate services.
FIDO2 also implements the concept of Passwordless, which means that no passwords are used to log in. This makes access not only more practical but also more secure, as the vulnerabilities associated with passwords are very known.
The first version, which introduced phishing-resistant Multifactor Authentication, was released in 2014, and the second, released in 2018, set the standard for authentication without passwords.
Conclusion
In conclusion, and despite all the information in this article, the main thing to remember is the importance of activating Multifactor Authentication on all your accounts that support it – this is something that can usually be done in the account settings.
Not all services use strong MFA, but even so, having MFA enabled, even if it’s weak, is better than not having it at all.
Audit your accounts now with a view to activating MFA on those you haven’t activated yet. It’s true that it will take some time, but in the end you’ll be reassured about the security of your accounts and the information they contain.
Thinking that it only happens to others is not a good security strategy. In addition, it’s important to remember that there are several ways to obtain credentials, either in attacks that can be perpetuated by targeting the user themselves or the service where their credentials are stored. And we don’t always know how the services store our data, which means there are several leaks that prove that there are still services that don’t use best practices to store their users’ credentials!