Multifactor authentication (MFA) is a security system that requires more than one method of authentication from credentials to verify the user’s identity to gain access to a network.
Multifactor authentication combines two or more credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification). The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a private network, database, or program. If one factor is compromised, the attacker still has more barriers to breach before successfully hacking into the target.
- Swiping a card and entering a Personal Identification Number (PIN). Logging into a website and being requested to enter a new one-time password (OTP) that the website’s authentication server sends to the requester’s phone or email address.
- Downloading a Virtual Private Network (VPN) client with a valid digital certificate and logging into the VPN before being granted access to a network.
- Swiping a card, scanning a fingerprint, and answering a security question.
- Attaching a Universal Serial Bus (USB) hardware token to a desktop that generates a OTP and using the OTP to log into a VPN client.
- One of the most significant problems with a traditional user identification and password login is the need to maintain a password database with routine password updates. Whether passwords are encrypted or not, if the database is captured it provides a hacker with the ability to quickly determine the password. Password cracking software has advanced rapidly as hackers’ attacks increase.
An authentication factor is a credential used for identity verification. For MFA, each additional element is intended to increase the assurance that a person or an object requesting access to a system is who they say they are. The three most common multifactor authentication categories are something you know (the knowledge factor), something you have (the possession factor), and something you are (the inherence factor).
- Knowledge factors – information that a user must be able to provide to log in. User names or IDs, passwords, PINs, and the answers to secret questions all fall under this category.
- Possession factors – anything a user must have in their possession to log in, such as a security token, OTP, token, a key fob, an employee ID card, or a phone’s Subscriber Identity Module (SIM) card.
- Inherence factors – any of the user’s biological traits that are confirmed for login. This category includes the scope of biometric authentication methods such as retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry, even earlobe geometry.
- Location factors – the user’s current location is often suggested as the fourth factor for authentication.
- Time factors – Current time is also sometimes considered a factor for authentication. Verification of employee IDs against work schedules could prevent some kinds of user account hijacking attacks. A bank customer can’t physically use their Automated Teller Machine (ATM) card in America, for example, and then in Russia 15 minutes later. These kinds of logical locks could prevent many cases of online bank fraud.
Multifactor Authentication Technologies:
- Security tokens: Small hardware devices to authorize access to a network service. This may be in the form of a smart card or embedded in an easily-carried object such as a key fob or USB drive. Hardware tokens provide the possession factor for multifactor authentication. Software-based tokens are becoming more common than hardware devices.
- Soft tokens: Software-based security token applications that generate a single-use login PIN. Soft tokens are often used for multifactor mobile authentication, which provides the possession factor.
- Mobile authentication: Short Message Service (SMS) messages and phone calls sent to a user as an out-of-band method, smartphone OTP apps, SIM cards, and smartcards with stored authentication data.
- Biometric authentication methods such as retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry, and even earlobe geometry.
- Global Positioning System (GPS) smartphones can also provide location as an authentication factor with this onboard hardware.