Giving that authentication in general is the process of verification of that the user attempting to access certain end-points, data or functionality really is the person or entity they states to be, multifactor authentication is one of the general approaches or methods used to resolve this task.
Classic authentication methods are usually one-factor: a password (if you know it, you are authorized), a key (if you have it, you can access) and so on. The concept of multifactor authentication requires the authentication process to include verifications from at least two of three categories:
- Something a user knows (password, PIN, secret question answer, etc.)
- Something a user possesses (key, device token, bankcard, smartphone, etc.)
- Something a user is – personal biometrics (fingerprint, eye iris, voice, etc.)
Some vendors may add location and time slot verification to this canonical definition.
Thus, two-factor authentication aka two-step verification aka 2FA combines two aspects from this list to confirm user identity. As biometric scanning requires specific equipment, both business and consumer computer systems tend to use the first two – knowledge and possession.
With the growing attention to the security and authentication as the main door to the treasury, many vendors put efforts to strengthen this process. But do not be caught by the marketing wording, not all multistep authentication can be called multifactor.
For example, a set of secret questions or secret images following the credential verification screen still represents a knowledge component. Will “What’s our boss nickname?” be a good second line of defense? Heh, not from a colleague who likes to borrow others’ passwords.
Another example of double knowledge-based authentication is password + verification code sent to the user’s email. Email can be accessed from any location using just another knowledge – email account password. At the same time, sending this verification code as an SMS to the user’s smartphone represents possession factor validation and thus can form 2-factor authentication together with the credentials verification.
Two schemes described above can be examples of so-called strong authentication. But remember, while any multifactor authentication is strong, not all strong authentication is multifactor.
As it was mentioned above, while biometrics is widely used in the control systems serving restricted access locations, national level identity management processes like biometric IDs, and now even your smartphones, computer system vendors prefer to rely on the knowledge and possession factor combination.
Knowledge aspect is traditionally represented by the credentials – user name and password. The whole bunch of underlying technologies serve to strengthen this part of authentication: password vaults, password management systems, one-time passwords, and so on.
We can find a greater variety of methods to implement possession factors. Examples can be as simple as a card-key or more sophisticated as a specific device created for this purposes – device token. Usually device tokens contain a piece of software that generates a validation code when connected to the end-point (connected tokens) or independently (disconnected tokens).
As the need of carrying along a specific device all the time can cause some inconveniences for the users, as well as the need to produce, maintain and replace those devices supposes additional costs, the industry had to make the second step. It started to work around the ideas on how to implement 2-factor authentication with some device that virtually any user already has. A smartphone.
Mobile-delivered tokens are included in the significant part of all multi factor identification examples. They land at the user’s smartphone as an SMS or a message in the specific app.
While very convenient, this approach has several drawbacks.
The first one is valid for all generated tokens: they need to be generated dynamically and security of the process will heavily depend on the corresponding algorithm. Passcodes should be valid only for a limited period of time, expire after the first usage, and constantly change avoiding blind guessing.
Another drawback is that the security of the message delivery fully depends on the mobile operator’s operational security and may experience such breaches as wiretapping or SIM cloning.
And finally, the user should be connected to the cell network and/or Internet when receiving these tokens.
To answer these drawbacks, the industry introduced some analogues of disconnected tokens for smartphones, one of which is known as the open time-based one-time password algorithm or TOTP. Popularized by Google and Amazon, this approach gets more and more adoption.
In a nutshell, at authentication, user starts a specific app on his or her smartphone and generates a passcode, which then enters in the authentication window. At the system side, the algorithm generates a validation code based on the same timeslot and initial vector, assigned to this specific user and device. If the provided passcode and verification code match, the access is granted.
Although all described approaches of dual factor authentication improve security, there are several general problems still actual for them.
We would not discuss the problem of somehow longer and more complex process of access from a user standpoint, but from the security perspective, the weakest part of many two-factor auth systems is the recovery process. Usually this process includes only one factor, such as resetting a password using the link sent by email, and thus is vulnerable. Several big two-factor authentication system breaches discussed in media were attributed to this very factor.
In the internal business computer systems, when the number of users is comparably small and the authentication process is controlled by the in-door team, recovery process can be manual or semi-manual, which takes more time but provides much better security.
During the last several years, multi-factor authentication is popularized for a broad variety of applications. With digital security being a constantly hot topic, users are encouraged to use multifactor authentication in all personalized systems.
From the consumer perspective, it is somehow new. While people got used to this kind of multistep verification when working with ATMs or online banking, using additional factors to authorize in social networks or personal cloud storage can be a novelty for many users.
Nevertheless, you can switch on this option now in many social platforms including Facebook, Twitter, LinkedIn, Instagram, and others. It is also available in Dropbox, Google products, Microsoft systems and many more popular solutions and cloud-based platforms.
For businesses, multifactor authentication and 2FA in particular is a familiar practice and even a regulatory requirement. For example, PCI DSS req. 8.3 (from the v 3.2) prescribes to use multifactor authentication for all network access to the card data environment, both remotely from outside the network and within the trusted network as well.
Summarizing best security practices, this enhanced identity validation should be applied for such tasks:
- Confirmation of critical actions and transactions
- Access to the critical end-points
- Access to the critical data
Although these tasks are naturally interconnected, we distinguish them to better specify the moments in the business processes when the multi-factor authentication is activated.
The market of enterprise solutions for multifactor authentication is big and growing. A company can cover its needs by using in-built two-factor authentication options that some big IAM management and security management systems have, or choose among the specialized solutions delivering customizable two-factor authentication tools for the entire corporate infrastructure.
Although usually these systems are associated with considerable costs and may require additional training for the employees, they significantly improve the company security profile.
Being a user activity monitoring and security audit solution in its core, Ekran System 5.2 delivers in-built two-factor authentication options to protect corporate servers within its access management feature set.
The implemented second factor approach is centrally managed TOTP based authentication.