Multi-factor authentication (MFA) or more narrowly two-factor authentication (2FA) is available on most information systems now, but not all authentication factors provide the same security. Let’s look at what an authentication factor is, why they’re used, and how they can best be implemented.
In information security, authentication refers to the process of confirming a user or service is who or what they say they are. There are many methods of doing so, often grouped into “factors.” The common factors are:
something you know
something you have
something you are
somewhere you are
We already looked at the “something you know” factor in the form of passwords and pass phrases. PINs are another form of this knowledge factor, or those “security questions” like the name of your favorite teacher. (“Ask me something only I would know!”)
The “something you have” factor refers to a physical object in your possession. The key to your home is a possession factor that authenticates your access to your domicile. A debit card is an object that gives you authenticity to access money in an account. Probably the most common form of 2FA on websites indirectly uses your mobile phone as a possession factor by sending a text message to it which you then have to relay back to the website.
“Something you are” is the most natural form of authentication: when you see someone you know or hear their voice, unless you’re Ethan Hunt you know who they are. For information systems, these inherent factors are almost always some form of biometrics. Fingerprint scanning (Touch ID), voice recognition, facial recognition (Face ID), retinal or iris scanning, DNA testing, gait analysis… anything that is inherently you and statistically unique.
Time vortices aside, “somewhere you are” is also a pretty naturally understood factor. If you come home to a broken flower pot, figuring out whether the doggo or Miley Cyrus is to blame usually does not take a lot of investigating. If you saw your boss enter her office this morning and didn’t see anyone else go in, you are probably not questioning who you hear typing at her desk. For our purposes, the location factor could be physical access to a machine (UAMDM) or connecting via LAN vs VPN or WAN.
Theory and Practice
The idea of using two or more factors for security revolves around the idea that if something in one factor has been compromised, likely that entire factor has been or can easily be compromised. E.g., if someone stole the key to your deadbolt, having a second key for your doorknob isn't much more secure since they whole keychain was likely stolen.
In this vein, having to enter a password and answer a security question to log into a system doesn't increase the security factor of the system. Not that those questions are completely useless, but they should 1: be treated like a password (don't use "real" answers that can be found online) and 2: not mislead anyone about the security they provide.
Implicit factors can also lead to a false sense of security. A mobile device is a possession factor, but a phone number is not. The NIST recommended against SMS 2FA back in 2016, and the EFF reiterated the vulnerabilities of the cell network a couple months ago. Apple confusingly but with the right intention does not even categorize SMS codes as 2FA, but instead calls them "two step verification." They reserve the moniker "two-factor authentication" for their proprietary iCloud codes, which do not share the same vulnerabilities. Google Authenticator type apps are also a more secure alternative to SMS.
A common retort is that SMS 2FA is better than no 2FA. But if better options exist, why choose the worst one? The gold standard in possession factor authentication used to be RSA SecurID key fobs, but the FIDO Alliance has championed several industry standards, which can be implemented using inexpensive devices like a YubiKey.
If you have any questions or concerns about the authentication being used to protect your business, reach out to us to set up a quick meeting or consultation. We offer a full array of cyber security services and products.