Our last blog highlighted two-factor authentication (2FA) and some very real drawbacks in terms of both the user experience and best-in-class security. Multi-factor authentication (MFA), as the name implies, includes 2FA but isn’t limited to just two factors. So, can we increase security by adding more factors to the authentication process?
Typically MFA requires factors from at least two of the categories we discussed in the last blog: knowledge (something you know), possession (something you have), and inherence (something you are).
Knowledge factors are the most common, especially passwords and PINs. But “secret questions” are increasingly popular. Less secure are questions many people may already know or quickly find out using social media, such as where you were born or what high school you went to. More obscure questions, like the first name of your childhood friend, are more secure, and better yet are questions you write yourself (provided you invent good ones). Bet you don’t know the code name I used for my brother in my childhood journal!
Possession factors include things like your ATM card, ID badge or a key-fob token issued by the company whose systems you’re accessing. Codes texted to your phone are considered possession factors, since in theory you have to be in possession of the physical phone the code is texted to. But in reality, hackers can intercept the codes without having the phone — making this increasingly common factor a real security risk.
Inherence factors usually involve biometric methods such as fingerprint readers, retina scanners or voice recognition. These are usually too expensive for most situations, and often they don’t work nearly as well as our favorite TV shows and sci-fi movies lead us to expect.
There are lots of other MFA options, like SMS codes, which don’t fit neatly into any of these three categories. The IP address and other characteristics of your machine are usually bundled into “device fingerprinting” or “device recognition.” Some solutions can track how you interact with a given device and flag irregular keystroke or mouse movements (“behavioral biometrics”). Some solutions can remember where and when you last logged on and calculate whether a subsequent logon attempt from another location is physically unlikely (“geo-location”).
Undoubtedly, adding more factors adds layers of security, and that’s definitely a good thing!
But remember our highlighted drawback to 2FA called out the constant inconvenience for users? Well depending on your set-up and options, MFA without adaptive authentication can take the user experience from “inconvenient” to “really annoying.” Users (think critical care providers like doctors or those in healthcare) cannot be constantly challenged to provide additional authentication factors, and blocking their access without good reason. This not only causes frustration and hampers business operations or patient care, but it also can overload your help desk — driving up support costs in multiple ways.
But what if there were a way to MFA better? There is. And you can learn all about it in our blog post, “What is adaptive authentication?”
SecureAuth helps prevent the misuse of stolen credentials. To learn more, contact us today!