Are your company’s website and applications secure? How about your e-mail system? Are you sure? Businesses need multi-factor authentication, and that includes your small business. Cybercrime is up significantly as the result of the many companies that have adopted a work-from-home policy during the Covid pandemic. A number of companies are choosing to remain in virtual-only operations, even now that the Covid vaccines are making “life as normal” a real possibility.
The problem is that no matter how unpredictable your company or school’s passwords may be, they are not impenetrable. You can make them as clever as can be, but a sophisticated hacker will be able to defeat them. As a result, your business or school could very well fall victim to cybercrimes—the most serious one being ransomware. We first saw it in May 2021 in the energy sector (the Colonial oil pipeline hacking). Now, in June 2021, we’re seeing it in the food supply chain (at JBS SA, the largest global meat producer).
What is Multi-Factor Authentication?
Multi-factor authentication (MFA) is an electronic authentication method in which a device user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), inherence (something only the user is), and location (somewhere the user is).
MFA protects the user from an unknown person trying to access their data such as personal ID details or financial assets. If, in an authentication attempt, at least one of the components is missing or is supplied incorrectly, the user’s identity is not established with sufficient certainty and access to the asset (e.g. – building, website or data) being protected by MFA then remains blocked to the intended user.
4 Authentication Factors
There are four types of authentication factors used in MFA:
1. Something the user has
Some physical objects in the possession of the user, such as a security token (USB stick), a bank card, a key, etc. Possession factors are something only the user has, such as their smartphone. When an app like Duo Mobile is installed on the phone, the phone identifies its user when a push notification is attended to or a passcode (that can only be generated by that particular user’s phone) is entered.
2. Something the user knows
Certain knowledge only known to the user, such as a password, PIN, TAN, etc. Knowledge factors are the most commonly used form of authentication. In this form, the user is required to prove knowledge of a secret in order to authenticate. Many secret questions such as “Where were you born?” are poor examples of a knowledge factor because they may be known to a wide group of people, or are discoverable through research. Better questions would be those that ask the user to verify information such as a past address, a past employer, or the year in which the user secured an auto loan. But even the answers to those questions are discoverable through more extensive research if an unauthorized user wants to gain access. When used as a single authentication method, passwords do not provide enough protection against cybercriminals.
3. Something the user is
Some physical characteristics of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc. Inherent factors are associated with the user and are usually biometric methods, including fingerprint, face, voice, or iris recognition. Behavioral biometrics such as keystroke dynamics can also be used.
4. Somewhere the user is
Some connection to a specific computing network or using a GPS signal to identify the location. Increasingly, a fourth factor is coming into play that involves the physical location of the user. While hard wired to the corporate network, a user could be allowed to log in using only a pin code while off the network. Entering a code from a soft token could also be required. This could be seen as an acceptable standard where access to the office is controlled.
Systems for network admission control work in similar ways where the level of network access can be contingent on the specific network to which the user’s device is connected, such as WiFi versus wired connectivity. This also enables a user to move between offices and dynamically receive the same level of network access in each location.
Two-Factor Authentication (2FA) Examples
A good example of two-factor authentication is the withdrawal of money from an ATM. Only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.
Another example would be Duo Mobile, which is used by a number of colleges and universities to secure their learning management systems, campus management systems, e-mail systems, and other campus-wide technology. Duo Mobile users first enter their password at the website or other asset’s log-in area. Then, they must either tap/click “send push” (which sends a push notification to the user’s Duo Mobile-registered smartphone, which is the “something the user possesses) or they must tap/click “passcode,” which generates a 6-digit numeric code (something the user knows) in the Duo Mobile app that must be entered at the website or other asset’s log-in area.
Again, if one of the components is missing or is supplied incorrectly, the user’s log-in attempt will fail and their entry will be blocked.