What Is Multi-Factor Authentication?
Recent high-profile hacks and data breaches have increased the demand for more stringent security measures over customer data. One such measure is multi-factor authentication (MFA). We review what MFA is, and highlight four best practices for securing your processes from attack.
What Is Multi-Factor Authentication?
Multi-factor authentication (MFA) is, as its name suggests, a layered security approach that consists of multiple authentication elements. Predicted to grow fourfold by 2025, MFA is more secure than single authentication. Why? Because if an attacker learns or guesses a password (single authentication) it is useless. MFA strengthens the single approach by adding in two or more of three types of authentication methods:
Why Do We Need MFA?
We need MFA for the following three reasons:
- Weak passwords: used in 95% of all application attacks. Attackers get in either by brute force – i.e. using software to work through numerical sequences, or by trying weak passwords such as a pet’s name or birthday.
- New methods of assault: keylogging, phishing and pharming are effective ways to gain access to passwords.
- Theft of passwords continue to rise.
What Secondary Authentication Methods Are Available?
We have established that MFA requires a second or ideally a third level of authentication separate to a password. Common methods are:
Biometrics is often seen as the best method of secondary authentication. Unlike a password, you can’t forget your fingertip or face! However, biometrics is not foolproof. Recent examples include photographs or masks fooling facial recognition technology in phones, while taped recordings have overcome voice authentication checks.
Although its use is widespread, sending a verification code via text is the least secure authentication method, according to the US National Institute of Standards and Technology (NIST). The NIST advised that SMS is a poor way to deliver two factor authentication because mobile phone accounts are relatively easy to hack.
Authenticator apps can provide another level of security using a mobile phone or tablet without relying on SMS. The application is installed onto a device which then generates a secret key code. Subsequently, the code is shared with another system, such as a social media or banking platform, via a QR code or key. This link and secret key will be used for all future logins to the application.
Four Best Practices For MFA
No current authentication method is perfect. However, following these four best practices ensure the best possible outcome from multi-factor authentication:
- Use at least two separate channels. Whether that’s password + biometrics, password + authentication app or another combination.
- Conduct identity checks via different channels. This is absolutely critical. Security channels should work in isolation to prove that a login is legitimate. Having a secondary check that is completely separate from the password makes it a lot harder for would-be hackers.
- Use randomly generated codes: a one-time password that is hard to guess increases security.
- Set a limited lifetime. A code that expires in 10 minutes for example reduces the window in which hackers have opportunity to act.
LEAP and MFA: Securing Your Processes
Many processes contain sensitive customer data. As a result, you may be concerned about how safe that information is. At FLOvate, we utilise MFA to give you peace of mind.
Through the use of password + authenticator apps, our LEAP Low-Code platform is able to secure and safeguard against unauthorised access to your customers’ data.
Here’s how it works:
- Login to LEAP as usual via username and password
- Separate system generates but one-time, six-digit password. In order to generate this code, the user will run their authentication app that will independently compute and display a code that is only valid for 30 seconds.
- LEAP runs the same algorithm to generate a code. If these codes match, then the user gains access.
LEAP supports standard authenticator apps including:
- Google Authenticator
- Windows Phone Authenticator
- Duo Mobile
- Authy App
The Future Of MFA
With MFA, knowledge of user credentials such as the username and passwords are not enough to gain to access to a website or application. The attacker also needs knowledge of the secret key or access to the device that runs the authenticator app. These extra layers help to keep data secure.
MFA will continue to rise and be an important solution to keep data access safeguarded. However, it is going to be increasingly important to ensure that we are implementing the best practices discussed above. Authenticator apps are the current best practice, because they are more secure than SMS or one-time passwords and are easier to set up and use, especially in enterprise solutions.