The password - it is arguably the most popular and most common security measure available, and at a lot of times it is also the most vulnerable. In 2016, it was revealed that the leading source of data breaches are hackers and cyber criminals, who are after identity theft. And what is the response of most companies in the event and threat of data breach? It is to change user passwords.
But the password has a lot of shortcomings. For one, passwords do not provide strong enough identity check. Anyone who gets a hold of the password can simply waltz into an account and take what they need. In addition, the security of the account is based solely on the strength of the password, which, as we all know, is usually not strong enough. Nobody likes to remember a string of characters containing uppercase, lowercase, numeric and special characters. Users want something simple, easy to remember and unwittingly, easy to hack.
This is the reason why companies are adopting multi-factor authentication or MFA to supplement the password as a means of access control, or in some cases, as an actual alternative to passwords. But first, what is MFA?
What is Multi-Factor Authentication?
In a 2016 blog post, Petteri Ihalainen wrote a more in-depth article defining what MFA is. To summarize, multi-factor authentication is the process of identifying an online user by validating two or more claims presented by the user, each from a different category of factors. You may have also heard it called by its variant forms like step-up authentication, advanced authentication, 2-step verification and 2-factor authentication.
The three basic elements that can be used in MFA are:
- something the user knows, like a password or pin number;
- something the user has, like a mobile device; and
- something the user is, like a fingerprint, optics or voice.
The principle of MFA is that there is no perfect authentication factor. Any one factor that is implemented will have its strength and weaknesses. The concept of multi-factor authentication is that a second or third factor will compensate for the weakness of the other factor/s and vice-versa.
Now that we have gone over the basics of MFA, let us dive into its benefits.
Benefits of Multi-Factor Authentication
As discussed above, the principle of MFA is that each factor compensates for the weakness of the other factors. For example, authentication factors about “something the user knows”, like passwords and pins, can be susceptible to brute-force (hackers forcing logins) or social engineering attacks. You can supplement it by adding an authentication factor that is not so easily guessed, like “something you have” by authenticating users through their mobile device or through “something you are” like a biometrics factor like fingerprint or voice. Unless the hacker has all of the factors required by the system, they will not be able to access the account.
A Step Towards Compliance
Aside from encryption of data, a lot of compliance standards – federal, state or otherwise – usually specify that organizations need to implement MFA for certain situations. This is especially true when it comes to protecting sensitive data like personally identifiable information (PII) or financial details. This means that implementing MFA is actually a step to take towards compliance.
And even if it does not actually specifically require MFA, it may still be the best step. The Health Insurance Portability and Accountability Act (HIPAA), for example, does not specifically require MFA but there are numerous provisions within the Security Rule subparts that emphasize the need for a strong authentication process. And what strong authentication process do we know? It still goes to MFA.
However, choosing the right authenticators should also be a priority. Last year, the National Institute of Standards and Technology (NIST) actually just updated its guidelines on use of multi-factor authentication. It now states that out-of-band verification methods using PSTN, SMS or voice calls are deprecated due to the risk of SMS or voice calls being susceptible to interception.
This means that you cannot let compliance alone steer your MFA implementation. Do not fall into the trap of “check-box compliance”, thinking that just because you’re meeting the regulation requirements, that you have actually increased security. Make sure that whatever MFA method you use is currently recommended and always have the goal of system and data security in mind, not just compliance.
Simplification of Login Process
You would think that having multiple authentication factors would make logging into accounts more complicated. But the added security given by MFA actually allows companies to use more advanced login options like single sign-on.
Single sign-on works by validating the user through MFA during the login process. Once the user is authenticated, they are logged into their single sign-on software. From there they have access to the covered apps of the single sign-on software without the need to log in for each app separately.
This scenario gives practicality to MFA implementation, as one of the challenges of implementing it is login fatigue. This refers to users getting tired of logging into different accounts and MFA would only add more stress to the users. But combined with single sign-on, a single MFA instance would cover all apps needed by the user.
MFA Is an Essential Component of Cybersecurity
As their number and scope continues to increase, many companies are recognizing the threat of data breaches. It is good that this year, cyber security has become a top priority for many organizations especially with the rise of cloud communications. And to address this concern, the majority of companies are implementing MFA. In fact, the multi-factor authentication (MFA) market is expected to reach USD 12.51 Billion by 2022, at a CAGR of 15.52%. This shows that a lot of organizations think that MFA is, right now, one of the best security measure you can implement to protect your company, users, and sensitive data.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.