What is multifactor authentication?
What is multifactor authentication and when is it appropriate to use it
Account protection with the help of one factor – a complex password – ceased to be reliable about two decades ago. Therefore, network users are recommended to use additional protection factors. Moreover, now there is an opportunity to choose the best option according to requests, price and quality.
And taking into account the fact that the pandemic has left its mark on many spheres of social life, remote work has become a trend – the previously favorite format of IT companies, and now web, marketing studios, educational resources, call centers and other enterprises, where tasks for 80- 90% are carried out with the help of computers. However, the nuance is that home PCs, on which employees most often continue to work remotely, need the same protection as corporate devices where appropriate software can be installed.
In order to avoid the leakage of corporate information, such IT corporations as Google and Facebook have long made it mandatory for members of the organization to connect multi-factor authentication or MFA (abbreviated) precisely with the help of tokens. Why not follow their example?
In this article, we will consider what multifactor authentication is, how it works, its advantages and disadvantages, and what are the options for its connection.
Definition of MFA
This is multi-factor authentication extended verification of account belonging to the user, which includes more than one factor. Factors are understood as:
- knowledge factor — information known to the subject — PIN code, password, control word, answer to a secret question;
- фактор владения— a thing owned by the user — phone, tablet, PC, security token, smart card;
- property factor — biological characteristics of the subject—fingerprint or palm, iris, voice, face.
Often, multifactor authentication (MFA) is used in the meaning of two-factor authentication (2FA), which is not a mistake.
The advantages of multifactor authentication come down to cybersecurity, it is:
- additional protection against unauthorized access to confidential or corporate information;
- safe conduct of banking operations;
- confidence in data security on servers.
To the disadvantages of MFA consider the difficulty of use for untrained users. Many simply do not understand why use multifactor authentication (we will return to this question a little later). Therefore, unfortunately, at the moment, the prevalence of this security method is at the level of 10%.
How multifactor authentication works
The principle of operation of multifactor authentication is that when the user is authorized in the operating system or in any account, the service requests’ confirmation of identity with the help of additional factors available to the user.
Examples of multifactor authentication:
- confirmation of identity with the help of a one-time password (OTP), which can be sent by the service to the user in several ways: via SMS, mail, application, or token;
- performing an action on an additional device: pressing the confirmation button, entering a code, speaking a phrase, connecting a USB key, scanning a fingerprint.
Different platforms support different types of multifactor authentication. As a rule, after logging into the account, they can be selected and configured in the “Security” tab.
When it is appropriate to use multi-factor authentication
As we mentioned at the beginning of the article, multifactor authentication has long been used by IT companies not only as a recommendation, but also as a mandatory measure for remote workers. However, we want to pay special attention to cases when it is necessary MFA for Business. Especially when remote employees need to connect to a workstation via RDP (remote desktop protocol implemented using Microsoft Remote Desktop, or VNC, TeamViewer, and other programs).
After all, if attackers get access to the administrator’s account, they can seriously offend:
- send letters to the database on behalf of your organization;
- seize developments, strategic plans, other intellectual property and sell it to competitors;
- encrypt all the company’s files in order to demand a ransom in the future.
To protect access via RDP, we recommend the following methods:
- Close RDP access for external IP addresses, left the connection option only for IP addresses of employees. For dynamic IP addresses of home networks, it is possible to create “white lists” by subnet.
- It will provide an additional level of protection — multifactor authentication for RDP or all employees entering accounts from other devices.
The feasibility of using multi-factor authentication can also be traced using the table:
|Degree of risk||Example of use||Authentication methods|
|Low – the consequences of hacking will lead to minor damage||New registration on the site of a separate user||It is enough to use a complex multiple-use password|
|Medium – in case of password theft, the damage will be noticeable, but not critical||The subject’s use of banking or accounts in online stores tied to bank cards||Additional protection in the form of two-step or two-factor authentication is required|
|High – leakage of information can lead to colossal negative consequences||Conducting large interbank operations by financiers||Multi-factor authentication is required|
Reliability of multifactor authentication
Unfortunately, multifactor authentication is not 100% secure in all cases, as much depends on the choice of authentication methods and the safety of the primary password.
About how to protect your password from theft, we told last time. Now we will discuss the reliability and convenience of additional authentication methods:
- SMS, E-mail passwords – may be intercepted; they may not be very convenient to use if the input needs to be performed on the same device where the message arrived, in any case, not all users can deal with tabs;
- a voice call on a mobile phone is not very reliable, as criminals can order a duplicate SIM card and receive calls on it; moreover, unexpectedly a loud ring may interfere, if you enter the account at work, in a co-working space or at home, but at night, or vice versa, the voice notification may not be heard in a noisy place;
- applications that generate one-time OTP-passwords every 30 seconds are a reliable factor, but they work correctly only when connected to the network; if you are connected to a common Wi-Fi network, the reliability of the method is in doubt;
- the “Yes, it’s me” confirmation button will not help if the device is lost;
- Tokens or hardware security keys are reliably provided you use a certified product; unlike other authorization methods, they are even more convenient to use, especially if you choose a good manufacturer, for example, YubiKey;
- biometric verification factors are reliable, provided that the devices work autonomously and do not transmit biometric data to the server, sending it only in encrypted form; otherwise they can be stolen, just like passwords.
Each of the listed factors requires competent application. As a rule, you need to protect both passwords and devices that you can use for verification.
The exception is YubiKey hardware security keys manufactured in Sweden and the USA, which are already supported by thousands of services. In case of their theft, criminals will still not be able to use them, especially the YubiKey Bio novelty is FIDO with a fingerprint scanner. It is not for nothing that YubiKey keys are preferred by users in 160 countries of the world!
To learn more about YubiKey security keys and their capabilities, contact our managers.