As instances of hacking and data breaches continue, so does the demand for more stringent security measures from organisations concerned about attacks and the continued protection of their customer’s data.
Multi-factor authentication (MFA) is one type of security measure that is predicted to grow fourfold by 2025. It is a layered security approach that consists of multiple authentication elements. It is more secure than single authentication because if an attacker learns or guesses a password it is useless without the second or third authentication method. MFA requires two or more of three types of authentication methods:
MFA is needed because
- Weak or stolen user credentials are used in 95% of all application attacks. This can be by brute force or by guessing weak passwords such as a pet’s name or birthday.
- Attackers continue to employ new methods of assault such as keylogging, phishing and pharming to obtain passwords.
- Theft of passwords continue to rise.
Discussion of authentication methods.
Biometrics is often seen as the best method of secondary authentication, it cannot be forgotten and is always with you. However, there have been instances of photographs or masks fooling facial recognition technology in phones and of recordings duping voice recordings. The least secure authentication method, according to the US National Institute of Standards and Technology (NIST), is the sending of a verification code via SMS. The NIST advised that SMS is a poor way to deliver two factor authentication because it is not secure and mobile phone accounts are relatively easy to hack.
Authenticator apps can provide another level of security using a mobile phone or tablet without relying on SMS. The application is installed onto a device which then generates a secret key code, that is shared with another system, such as a social media or banking platform, via a QR code or key. This link and secret key will be used for all future logins to the application.
They key to ensure secure multi-factor authentication is to conduct the identity checks via different channels.
The best practices for MFA are:
- Use at least two separate channels
- Use randomly generated codes, so they can’t be guessed
- Ensure the code has a limited lifetime
LEAP and MFA
The LEAP system uses MFA and authenticator apps to secure and safeguard against unauthorised access to your customers’ data. To login to the LEAP system a user would provide their username and password but then would be required to provide a one-time, six-digit password. In order to generate this code, the user will run their authentication app that will independently compute and display a code that is only valid for 30 seconds. This code is then provided into LEAP, that will run the same algorithm to generate a code. If these codes match, then the user gains access to their LEAP accounts.
LEAP supports standard authenticator apps including:
- Google Authenticator
- Windows Phone Authenticator
- Duo Mobile
- Authy App
The future of MFA
With MFA, knowledge of user credentials such as the username and passwords are not enough to gain to access to a website or application. The attacker also needs knowledge of the secret key or access to the device that runs the authenticator app. These extra layers help to keep data secure.
MFA will continue to rise and be an important solution to keep data access safeguarded. However, it is going to be increasingly important to ensure that we are implementing the best practices. Authenticator apps are the current best practice, because they are more secure than SMS or one-time passwords and are easier to set up and use, especially in enterprise solutions.