What is Multi-Factor Authentication (MFA)?
Simply, it鈥檚 how we log into a computerized system, such as e-mail, an on-line game or our bank. As the name implies, it is a way to authenticate using more than one factor (or ways) to log in. As an example, when you鈥檙e asked for your password, that鈥檚 one factor. There are 6 major factors:
- Knowledge: something you know, like a password or a Personal Identification Number (PIN)
- Possessive: something you have, like an ID card, key fob or a cell phone
- Inherence: something you are, like a fingerprint, retina scan or face scan
- Location: somewhere you are, like your physical location, on the computer network or a specific terminal
- Behavior: something you do, like drawing a pattern over a grid of dots or gestures over a picture
- Time: only during prescribed hours or for a limited duration, like access during office hours, One Time Password (OTP), or codes that expire
Every factor has its strengths and weaknesses, but using more than one helps increase security. So, as an example of MFA would be going to the Automated Teller Machine (ATM) for cash. You need to use your bank card (possessive factor) as well as your PIN (knowledge factor). So the bad guy has to have your bank card and know your PIN. Another example would be, logging into your e-mail with your password (knowledge factor) and then having to enter a number (knowledge factor) into an application on your phone (possessive factor) within 5 minutes (time factor). In this case, the bad guy needs your password, your phone, as well as how to unlock it to use it, and they only have five minutes to do it all.
Although MFA dramatically increases security, users must stay vigilant. Phishing, malware and social engineering may compromise security.
We highly encourage everyone to use MFA whenever possible.
- Two Step Authentication
- 2-Step Verification
- Two Factor Authentication
- 2FA (2 Factor Authentication)
These factors revolve around information you must know. Items like passwords, security questions, PIN codes and the like. This is the most common factor, but it is also the weakest. Since this relies on people remembering the information, it tends to be short, simple and repetitive. When the information is long, complex and/or unique, people resort to writing it down or using it with multiple (or even all) accounts which increases the security risk.
Strengths:
Weaknesses:
- Information can be deduced
- If user provided, it tends to be simple and therefore weak
These factors revolve around you having something in your possession. Common items are ID cards, key fobs and cell phones.
Strengths:
- When implemented well, not too intrusive
Weaknesses:
- Subject to loss and theft
- Item must be available
- When not implemented well, can be cumbersome and time-consuming
These factors revolve around biometric data, information about an individual's physical characteristics. They can include fingerprints, facial scans, voice recognition, and retina scans, among others. When done correctly, they can be one the most secure factors.
Requires expensive specialized equipment.
Strengths:
- When done correctly, one of the most secure factors
Weakness:
- Most expensive
- Less flexibility
- Biometric data can change over time
- Requires knowledgeable
- When done wrong, one of the easiest factors to exploit
These factors revolve around being in and around certain places. Either a physical location (geolocation), on a certain network or using a specific computer.
Strengths:
- Little or no input required from the user
Weaknesses:
- Requires special software and expertise
- Usually used by large organizations due to the need managing the resources required
These factors revolve around behavior patterns of an individual. This could include analyzing a person's handwriting, analyzing a person's typing pattern/speed, finger pressure, signature, voice, gestures, walking speed, and swiping characteristics.
Strengths:
- Offers a sophisticated way to authenticate users
Weaknesses:
- Need for special software, hardware and expertise
- Behavior factors can change over time or may be affected by age, health, and or injury
- May require frequent updates
As the name implies, these factors revolve around time. This could be time when access is allowed, when something is not allowed and/or even limited actions (such as one time).
Strengths:
- This doesn鈥檛 require anything from the user
- May limit the time when a system is vulnerable
Weaknesses:
- Reduces flexibility
- All changes must be planned out and coordinated ahead of time
- Doesn鈥檛 account for emergencies
