MFA protects your applications by requiring a second source of validation before granting users access. Personal devices, such as a phone or a token, as well as geographic or network locations, are common examples of multi-factor authentication. MFA enables organizations to validate user identities before granting access to critical systems.
Why is multi-factor authentication required?
As organizations digitize operations and assume greater liability for storing customer data, the risks and need for security grow. Because attackers have long used user login data to gain access to critical systems, verifying user identity has become critical.
Authentication based solely on usernames and passwords is unreliable and cumbersome, because users may have difficulty storing, remembering, and managing them across multiple accounts, and many reuse passwords across services and create passwords that lack complexity. Passwords are also insecure due to the ease with which they can be obtained via hacking, phishing, and malware.
What are some examples of multi-factor authentication?
Cloud-based authenticator apps like Duo are designed to provide a smooth login experience with MFA. They are designed to work in tandem with your security stack. You can use Duo to:
- Verify user identities in seconds.
- Safeguard any application on any device, from anywhere.
- Add MFA to any network environment.
- How does multi-factor authentication work?
- MFA necessitates verification methods that unauthorized users will lack. Because passwords are insufficient for verifying identity, MFA requires multiple pieces of evidence to verify identity. The most common type of MFA is two-factor authentication (2FA). The theory goes that even if threat actors can impersonate a user with just one piece of evidence, they won't be able to provide two or more.
A proper multi-factor authentication employs factors from at least two distinct categories. Using two from the same category does not meet MFA's goal. Despite widespread use, the password/security question combination falls under the knowledge category and does not qualify as MFA. A password and a temporary passcode qualify because the passcode is a possession factor, proving ownership of a specific email account or mobile device.
Is multi-factor authentication difficult to use?
Multi-factor authentication adds an extra step or two to the login process, but it is not complicated. The security industry is developing solutions to streamline the MFA process, and authentication technology is becoming more intuitive as it evolves.
For example, biometric factors such as fingerprints and face scans provide quick and dependable logins. New technologies that use mobile device features like GPS, cameras, and microphones as authentication factors promise to improve the identity verification process even further. Simple methods, such as push notifications, only require a single tap on a user's smart phone or smart watch to verify their identity.
How do businesses get started with MFA?
MFA has been incorporated into the security settings of many operating systems, service providers, and account-based platforms. Using MFA for single users or small businesses is as simple as going to the settings for operating systems, web platforms, and service providers and enabling the features.
Larger organizations with their own network portals and complex user-management challenges may need to use an authentication app like Duo, which adds an extra authentication step during login.
MFA vs single sign-on (SSO)
MFA is a security enhancement, whereas SSO is a system for increasing productivity by allowing users to use a single set of login credentials to access multiple systems and applications that previously required separate logins.
SSO complements, but does not replace, MFA. Companies may require SSO (so that corporate email addresses are used to log in) in addition to multi-factor authentication. SSO authenticates users using MFA and then shares the authentication with multiple applications via software tokens.
What exactly is adaptive authentication?
Authentication rules in adaptive authentication are continuously adjusted based on the following variables:
- By user or groups of users defined by role, responsibility, or department
- By authentication method: for example, to authenticate users via push notification but not SMS
- By application: to impose more secure MFA methods, such as push notification or Universal 2nd Factor (U2F), for high-risk applications and services.
- By geographic location: to restrict access to company resources based on a user's physical location, or to set conditional policies that restrict the use of certain authentication methods in some locations but not others.
- By network information, we mean using network-in-use IP information as an authentication factor and blocking authentication attempts from anonymous networks like Tor, proxies, and VPNs.
- Advantages of Multi-Factor Authentication
- Increased trust
- Hacking and phishing attacks can be costly. Because MFA helps secure systems against unauthorized users and the threats they bring, the organization is more secure overall.
If organizations are hesitant to ask users to comply with tighter security, they should consider that users, particularly customers, may appreciate the extra security for their data. Customers who trust a vendor's security measures are more likely to trust the organization as a whole, so MFA becomes a significant competitive advantage.
Cost Savings
Successful attack defenses can provide a return on investment that more than covers the cost of an MFA solution, such as preventing a costly and damaging attack on network resources. Even if it does not prevent attacks, MFA can save organizations money by allowing IT departments to deploy resources to protect other parts of networks from various threats.
Logins become easier.
As multi-factor authentication technology advances, making greater use of passive methods such as biometrics and software tokens, it becomes more user-friendly. Simple MFA processes allow users to log in more quickly, allowing workers to be more productive.
Login issues can result in lost sales in e-commerce. User-friendly MFA processes that improve the user experience can assist customers in logging in and, as a result, purchasing products.
MFA techniques
The most commonly used tool in MFA solutions is knowledge (typically a password). Despite their simplicity, passwords have become a security risk and a productivity drain.
Users today have far too many passwords; in order to simplify management, users create passwords that are insecure or are used repeatedly across platforms. Another disadvantage is that knowledge can be forgotten or, if stored somewhere, stolen.
Another popular but now-defunct knowledge method is the security question, which requires the user to save the answer to a personal question in their profile and then enter it during login. Many users consider this process to be onerous due to the requirement for repeated data entry as well as storing and managing their answers.
The dynamic security question, which is more effective and user-friendly, typically asks for contextual information that the user has access to, such as a recent financial transaction.
Physical factors, also known as possession factors, use tokens, such as a USB dongle or a portable device, to generate a temporary QR (quick response) code. Mobile phones are widely used because they are readily available in most situations.
On the plus side, physical factors exist outside of the network and are typically difficult to spoof. However, phones can be lost or stolen, and mobile networks can have their own security flaws.
Virtual "soft" tokens are cookies or pieces of code that are stored in such a way that they effectively transform a device into a physical token. Soft tokens may not be suitable for all users because they require software and expertise to use properly. Furthermore, soft tokens can be copied, which could lead to unauthorized use.
The U2F standard combines a USB or near-field communication (NFC) token with an open-standard application, making it simple to use additional authentication factors with platforms that support them.
Inherent
This category includes biometrics such as fingerprint, face, and retina scans. As technology advances, it may also include voice ID or other behavioral inputs such as keystroke metrics. This category holds promise because inherent factors are consistently unique, always present, and secure.
However, because not all devices have the necessary software, processing power, and hardware features (such as microphones and cameras), some users may be unable to benefit from these advances in MFA usability and security.
Location-based and time-based
Authentication systems can use GPS coordinates, network parameters, and metadata for the network in use, as well as device recognition for MFA. Adaptive authentication combines these data points with historical or contextual user data.
These factors have the advantage of operating in the background, requiring very little input from users, and thus do not impede productivity. However, because they require software and expertise to use, they are mostly appropriate for large organizations with the resources to manage them.
Time-based one-time password
This is commonly used in 2FA, but it could apply to any MFA method in which a second step is introduced dynamically at login after completing a first step. The wait for the second step, in which temporary passcodes are sent via SMS or email, is usually brief, and the process is simple to use for a wide range of users and devices. This method is currently widely used.
On the operational side, two-step authentication necessitates the use of software or an outside vendor to provide the service. Mobile networks, like using mobile devices as physical tokens, can introduce their own security issues.
The security key is typically a QR code that the user scans with a mobile device to generate a series of numbers. The user then enters those numbers into the website or application to gain access. Passcodes expire after a certain period of time, and a new one is generated the next time a user logs into an account.
Social media
In this case, a user authorizes a website to use their social media username and password for login. This provides an easy login process that is generally available to all users.
However, social media networks are frequently the target of online criminals because they provide a rich source of user data. Furthermore, some users may be concerned about the security and privacy implications of sharing logins with social media networks.
Risk-based authentication
This method, also known as adaptive multi-factor authentication, combines adaptive authentication with algorithms that calculate risk and observe the context of specific login requests. The goal of this method is to reduce redundant logins and provide a more user-friendly workflow.
Risk-based authentication can be a significant time saver for users who have multiple logins for different systems. However, it requires software that learns how users interact with a system as well as IT expertise to deploy and manage.
Push-based 2FA
Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security while improving usability. It confirms a user's identity with multiple authentication factors that other methods cannot. Because push-based 2FA sends notifications via data networks such as cellular or Wi-Fi, users must have data access on their mobile devices in order to use the 2FA functionality.
Some things to Think About Before Enabling Multi-factor Authentication
Passwords are difficult. The (seemingly endless) list of security requirements is meant to make passwords more secure, but in many cases, it has had the opposite effect. Complex passwords that meet all security requirements are often difficult to remember, so they are reused across multiple sites. Users scribble them on sticky notes. They incorporate easily discoverable pet names, birthdays, and phone numbers. It is not a secure method of data storage.
Thankfully, organizations are beginning to not only understand, but also support, the idea that while access should be difficult for hackers, it should be simple for legitimate users. Multi-factor authentication, or MFA, is the best way to accomplish this. MFA is an excellent way to protect your users' apps and services from unauthorized access. Here are some points to think about as you plan your deployment.
User education
You're implementing multi-factor authentication to reduce security risks associated with password-only access, but some users may find it inconvenient. They may be concerned that this process change will consume time that they believe could be better spent elsewhere; after all, entering an OTP or accepting a push notification does add time to the login process. Nonetheless, it's critical that everyone — from management to IT teams to security teams to end users — understands why you're implementing MFA. It is critical to obtain buy-in from the entire organization to ensure that everyone plays a role in keeping the company secure. Do this through education, so that each user understands the security benefits they contribute to by taking this extra step.
For example, a common approach is to send out emails from IT about upcoming changes well in advance of when these changes will occur. Include screenshots, FAQs, and contact information so employees can reach out for help.
Examine your MFA policies
A good MFA deployment will balance security and usability to avoid becoming too onerous, so think about how you define MFA policies to govern how and when a second factor is required. It may seem counterintuitive, but sometimes the key is to prompt for step-up authentication less frequently rather than more frequently. Step-up authentication challenges should be triggered only when necessary by a well-thought-out risk-based policy configuration.
For example, a policy could require a second factor every 8 hours when logging in from a known network, or only when logging in from a new device or geolocation. Perhaps you have a specific group of user accounts with broad access to sensitive data that require a stricter policy. For example, developers in your organization with access to source code or executives with access to sensitive data may need to provide a stronger factor type or require additional MFA prompts when logging into sensitive apps. MFA allows you to require a second factor when these types of user groups attempt to access the sensitive resource but not, say, when they access the company events calendar. The basic idea is that additional verification should be as transparent to the user as possible in order to foster a good user experience without compromising security.
Plan for and provide for a wide range of access requirements.
There will be cases where a user has internet access but receives little or no service from their cell phone carrier. This could be on a wifi-enabled airplane, in a rural home, or simply in the basement of a large concrete building. In these cases, where voice and SMS may be impractical, Okta Verify with push or one-time password (OTP) are better options because their communication is encrypted over the phone's Internet connection. Hardware devices that generate event-based or time-based one-time passwords (TOTP) do not require a communication channel at all. They are also more difficult to tamper with or copy. However, in addition to the cost of deployment, a physical device adds another item for employees to carry around, leave at home, or lose. As a result, these factor types may not be the best choice for short-term contractors or situations with high worker turnover. When it comes to MFA factors, there are numerous options for solving a wide range of scenarios. Choose what works best for each scenario in your organization, keeping in mind that multiple policies and factors can be used when there isn't (and rarely is!) a one-size-fits-all solution to accommodate all situations.
In general, these deployment tips ensure both enhanced security and a positive end-user experience -
Allow users to utilize biometrics as their second factor on hardware that supports it (Windows Hello, Touch ID, etc). This simplifies the end user experience and addresses scenarios where users may not have internet access.
Make at least two types of factors available to users so that they have one as a backup.
Allow users to self-reset their factor.
Begin your deployment by only enabling strong factor types.
Think twice about using SMS for OTP.
SMS is familiar and simple to implement. And, with the prevalence of cell phones and tablets, it's nearly everywhere, and has become a common communications channel for OTP delivery. SMS has generally been assumed to be secure enough for this purpose, but this is due in part to the infrastructure being mostly proprietary and opaque. According to research, SMS security is lacking, and not just in terms of documented vulnerabilities. With SMS, you are entrusting security to telecom companies, and even if you believe they have security best practices in place, there is always the risk of compromise through spoofing and social engineering. In many cases, it is not technically difficult for an attacker to port your number to a device they control and gain access to your SMS messages and OTPs.
SIM Swapping/SIM Hacking
The SIM card in your phone essentially tells your phone which wireless carrier to connect to and which phone number to connect to. In a SIM swap/SIM hack attack, a threat actor impersonates you and convinces the carrier that they are, in fact, you. Finally, your phone number is allocated to a new SIM card on a separate phone.
While SIM swapping/SIM hacking has been an issue for years, this attack type became very publicized in 2019 when Twitter CEO Jack Dorsey's own Twitter account was victimized by a group of vandals who convinced the wireless carrier tied to his phone number to switch that number to a new phone in their possession. Threat actors do not require access to any of your physical devices to get access to your accounts in a SIM swap/SIM hack; once your number has been moved to a device in their control, they can receive any SMS OTP messages associated with your online accounts.
Devices that have been lost or synchronized
You've misplaced your phone - it's inconvenient, but it happens from time to time. But what happens when your phone number is linked to your banking applications, social networking, and other services? In general, multi-factor authentication is defined as the combination of two pieces of evidence that indicate you are who you say you are - a knowledge factor (something you know), an inherent factor (something you are), or a possession factor (something you have). Using a password plus an SMS OTP as a factor is a mix of knowledge and possession factors. However, if you've misplaced your phone, you should no longer be able to receive SMS to authenticate your identity. However, because we can now sync messages across several devices, even if you lose the device that should be considered your second factor, you can still access your accounts. This is deemed unsafe when you can forward text messages to your email — which may have an insecure password — or when you use a VoIP number that can be accessed on any device and may or may not have a PIN code.
Taking over your internet wireless account
Keep in mind that most prominent wireless providers allow you to read text messages through your online account, which is accessible via their web portal. If your account for the web portal itself is not protected with a second factor, and if you use an easily guessed password that you use with many online accounts, a threat actor could monitor your account for an SMS OTP message that you initiated for a banking app, Facebook, etc., giving them access to those accounts.
Social engineering and phishing
Unfortunately, SMS OTP is not the only type of authentication vulnerable to social engineering phishing attempts. Less secure elements such as passwords and security questions are also vulnerable. In a social engineering assault, a threat actor poses as an employee of a service you trust and convinces you to hand up your account credentials and, in many situations, the SMS OTP received to your device. For example, if you receive a call from your "bank" informing you that they require immediate access to your account for security reasons, you may inadvertently provide a threat actor with your username/password combination, as well as the SMS OTP code that is sent to your phone during the login process. Phishing assaults are not limited to email. You may also get a phishing text message, and if you unintentionally enter a username/password combination into a malicious website, the threat actor may utilize one or more of the aforementioned attack techniques to take over your account.
While the NIST advises against utilizing SMS for these reasons, you must ultimately make your own risk assessment depending on your users, use cases, and the data being safeguarded. After all, MFA with SMS is still preferable than no MFA at all.
Carefully review compliance standards
Most IT compliance requirements, including as PCI DSS, SOX, and HIPAA, need robust user authentication measures, making them plausible motivators for MFA adoption. It may sound apparent, but if you want to fulfill such standards, make sure you have a thorough grasp of the criteria so you can modify settings and policies accordingly. For example, PCI and HIPAA compliance both demand strong authentication, which means at least two of these three strong authentication methods: something you know, something you have, and something you are. And, while SOX focuses less on technology, you'll still need to demonstrate that your organization's financial and accounting data is safe in order to pass an audit. IT compliance necessitates the implementation of applicable standards, but it also necessitates the capacity to demonstrate conformity. Make documentation a part of your setup and implementation so that you can quickly and confidently demonstrate compliance in an audit. Your future self (and your organization!) will thank you.
Define a strategy for misplaced gadgets.
The second authentication factor type in a typical MFA deployment is "something you have" (the first is "something you know," and the third is "something you are"). The user possesses their phone in the case of SMS, voice, or an authentication app such as Okta Verify or Google Authenticator. In the case of a YubiKey, RSA, or similar hardware token, the user already possesses their token. However, whatever a user owns is subject to loss. A method for dealing with misplaced devices should already be included in your complete IT helpdesk playbook. Extend it to incorporate MFA devices, and guarantee that reporting a missing device results in:
A method for dealing with misplaced devices should already be included in your complete IT helpdesk playbook. Extend it to incorporate MFA devices, and guarantee that reporting a missing device results in:
Expiring any current sessions and prompting the user to re-authenticate
Disassociating the device from the user's account and access privileges
Remote erasure of corporate data from mobile devices (if necessary; usually done on company-owned devices)
It is also critical to audit the user account's behavior previous to the point in time when the device was lost to identify any anomalous behaviour. Consider the risk of a breach and escalate accordingly. Once the immediate security issues have been addressed, the attention should move to getting the employee back to work with a new device or login mechanism. For example, phoning the IT helpdesk to check identity requirements might allow the employee to be productive while substitute factors are deployed.
Make a plan to deliver MFA to remote workers.
As more workers work remotely, it is vital that your firm strengthens security. Ideally, new employee onboarding takes place in the office, and current workers have in-person access to IT. However, remote work introduces significant challenges for both deployment and troubleshooting. To solve deployment concerns, it's ideal to include features that allow users to rapidly get up and running, such as built-in device biometrics or mobile app authenticators like Okta Verify.
This eliminates the need for your users to wait for an additional hard token to be supplied to them. This is also where end-user communication is critical: make sure they have the resources they need to get set up and troubleshoot. In the instance of new employee onboarding, some firms will offer virtual onboarding meetings and provide setup instructions to the employee's personal email account before they have access to their corporate email.
Plan your deployment in stages and be prepared to evaluate and revise.
Complex installations and regulations rarely fit perfectly the first time. When implementing a process change that will touch all employees, it is always a good idea to track the success of an MFA solution as it is implemented and utilized, and to be able to adapt policies based on observations. Ideally, you will be able to stagger your rollout such that IT/Security uses MFA first. You may then expand to other user groups. If you become familiar with the auditing capabilities early in the process, it will be essential for troubleshooting and modifying policy configuration. After you've delivered MFA to users, employ auditing tools to monitor uptake and usage. A system for reporting user feedback is also an excellent idea. While users may not always take the time to submit written feedback, an audit trail provides some insight into what they encountered. Did it take them three attempts to enter their OTP? Did they give up? Problems like these might suggest a misconfiguration, a gap in user education, or simply a scenario that wasn't foreseen in the initial distribution strategy. Using audit tools and encouraging employee input ensures that the system is functioning properly and that new security rules are being implemented successfully.