In recent years multi-factor authentication, or MFA, has become common terminology even outside of cyber security circles.
Advancements in threat actors’ sophistication, along with our reliance on the internet for secure transactions and communication, has impacted the way both businesses and the general public gain access to sensitive digital environments, making MFA standard practice.
To access online services, particularly those containing sensitive data such as banking apps, corporate intranets or payment sites, users are now very rarely presented with the request for a password alone. Instead, users are increasingly required to prove their identity by providing multiple factors of authentication. In practice, this may be a text message with a one-time code sent to a phone number already on record, or a facial scan via a pre-authenticated mobile phone’s camera. But there are numerous options available.
Whether you’re considering employing MFA within your organisation or familiarising yourself with the concept of MFA and what does and does not constitute multi-factor authentication, this overview of the theory behind security factors should provide useful insight.
The Three Factors of Security
Security authentication can be broken down into three distinct factors:
Something You Know
The most common, traditional factor of security access. But unfortunately, the most vulnerable to a breach.
This factor includes but is not limited to: passwords, PIN codes, memorable phrases, and the answers to secret questions.
Ultimately, anything you are required to remember and then input upon request can be considered Something You Know.
Something You Have
An established but increasingly popular method of authentication, with a growing number of options for use.
This factor encompasses both physical objects (such as smart cards, keys, USB devices etc) and digital tokens (including codes within an authenticator app, a one-time password, a time-sensitive PIN sent via SMS) delivered through pre-established connections.
Something You Are
This is one of the more recent developments in authentication for the general public owing to the increase in smartphone technology. Until fairly recently, this security factor was reserved for high-clearance corporate environments but is now becoming a realistic alternative to the Something You Have factor.
Something You Are refers to biometric data concerning parts of the user’s body that can be read and verified for the purposes of authentication. Commonly used scans include: fingerprints, palms, retinas, and iris, as well as voice verification.
Because of its unique nature, while a Something You Are factor cannot be updated or replaced following a breach, it is commonly considered the most secure method of authentication.
What Constitutes Multi-Factor Authentication?
In simple terms—authentication becomes multi factor when it requires at least two of the above three security factors to grant access.
A combination of a password (Something You Know) and a digital token (Something You Have) is perhaps the most common, but more and more software applications are now enabling users to combine facial and fingerprint scans (Something You Are) with their password in order to access their secure resources.
What Does Not Count As Multi-Factor Authentication?
Before one-time codes and authentication apps became widely used, many secure websites and environments relied upon additional forms of passwords to provide depth to their defences. Whether that was a memorable phrase from which the user was required to input a random selection of characters, or an answer to a secret, memorable question, it provided an extra step in the access journey after a user’s initial password was supplied.
However, in the context of multi-factor authentication, an answer to a secret question or a memorable phrase would not constitute true MFA. Why? Because these elements of security all refer to Something You Know and are subsequently only a single factor of authentication.
Should this factor become compromised, or the threat actor attempting to bypass your security have the means to brute force their way through, there is no further authentication required by the user. Therefore, multiple passwords should not be considered MFA, and in practice, do very little to enhance access security. Where possible, organisations and users reliant on multi-password access should opt to enable MFA instead.
Multi-Factor Authentication in 2023
The latest trends in MFA surround advancements in employing cost-effective, workable combinations of Something You Know and Something You Have factors to help secure organisations and their users from the threat of a malicious breach.
However, no cyber security defence is infallible. A growing number of adversary-in-the-middle phishing attacks, wherein threat actors proxy legitimate Something You Have authentication interfaces (such as SMS codes and authenticator apps), have given rise to a shift towards phish-resistant MFA.
Phish-resistant MFA is that which cannot be imitated or proxied, whether through the use of a physical security key (such as a YubiKey), or biometric identification (such as Windows Hello for Business, which utilises a user’s facial or fingerprint scan from an authorised device). If your business already has an established MFA strategy in place, the next step along your security journey should be concerned with ensuring your MFA is resistant to this attack tactic.
Are you looking to employ multi-factor authentication within your organisation? Threatscape’s expert engineers have a wealth of experience in corporate MFA strategies, with a deep understanding of the various methods of secure access and their associated compliance. Contact us today and a member of our team will be in touch to discuss your specific requirements.